EU AI Act | Survey of amendments (structured view)

December 2023

As the trialogue on finalising the text of the EU AI Act is unfolding, we are showing here what negotiators from the European Parliament, Council and Commission have to work with. 

Shown in the table are:

To make it easier to compare the various texts proposed by the three EU institutions, we have taken the following approach:

a. When both the Council and the Parliament propose new text, the proposed texts are placed within the same row, in parallel cells if the texts refer to similar issues (i.e. can be compared). This is done even when the numbering of the proposed text is different across Parliament, Council, and/or Commission. 

See, for instance: 

  • recital 6a: same numbering, both texts refer to machine learning.
  • Recitals 12a-Parliament and 12b-Council: different numbering, but both texts refer to research.

b. If the proposed texts, despite having the same numbering, cover completely different issues, they are placed in distinct rows

See, for instance, recital 5a: same numbering in the Parliament’s and the Council’s versions, but different text.

For a full, simple display of the text, please see this page.

Introduction

Citations 1-6; Recitals 1-89
NumeringCommissionParliamentCouncilText proposed by the AI
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Citation 1Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16 and 114 thereof,Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16 and 114 thereof,Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16 and 114 thereof,Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16 and 114 thereof,
Citation 2Having regard to the proposal from the European Commission,Having regard to the proposal from the European Commission,Having regard to the proposal from the European Commission,Having regard to the proposal from the European Commission,
Citation 3After transmission of the draft legislative act to the national parliaments,After transmission of the draft legislative act to the national parliaments,After transmission of the draft legislative act to the national parliaments,After transmission of the draft legislative act to the national parliaments,
Citation 4Having regard to the opinion of the European Economic and Social Committee31,

31. OJ C […], […], p. […].		Having regard to the opinion of the European Economic and Social Committee31,

31. OJ C […], […], p. […].		Having regard to the opinion of the European Economic and Social Committee1,

1. OJ C […], […], p. […].		Having regard to the opinion of the European Economic and Social Committee1,

1. OJ C […], […], p. […].
Citation 4a (new)Having regard to the opinion of the European Central Bank,Having regard to the opinion of the European Central Bank3,


3. Reference to ECB opinion		Having regard to the opinion of the European Central Bank,
Citation 4b (new)Having regard to the joint opinion of the European Data Protection Board and the European Data Protection Supervisor,None
Citation 5Having regard to the opinion of the Committee of the Regions32,

32. OJ C […], […], p. […].		Having regard to the opinion of the Committee of the Regions32,

32. OJ C […], […], p. […].		Having regard to the opinion of the Committee of the Regions2,

2. OJ C […], […], p. […].		Having regard to the opinion of the Committee of the Regions,

OJ C […], […], p. […].
Citation 6Acting in accordance with the ordinary legislative procedure,Acting in accordance with the ordinary legislative procedure,Acting in accordance with the ordinary legislative procedure,Acting in accordance with the ordinary legislative procedure,
Whereas,Whereas,Whereas,None
Recital (1)(1) The purpose of this Regulation is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of artificial intelligence in conformity with Union values. This Regulation pursues a number of overriding reasons of public interest, such as a high level of protection of health, safety and fundamental rights, and it ensures the free movement of AI-based goods and services cross-border, thus preventing Member States from imposing restrictions on the development, marketing and use of AI systems, unless explicitly authorised by this Regulation.(1) The purpose of this Regulation is to promote the uptake of human centric and trustworthy artificial intelligence and to ensure a high level of protection of health, safety, fundamental rights, democracy and rule of law and the environment from harmful effects of artificial intelligence systems in the Union while supporting innovation and improving the functioning of the internal market. This Regulation lays down a uniform legal framework in particular for the development, the placing on the market, the putting into service and the use of artificial intelligence in conformity with Union values and ensures the free movement of AI-based goods and services cross-border, thus preventing Member States from imposing restrictions on the development, marketing and use of Artificial Intelligence systems (AI systems), unless explicitly authorised by this Regulation. Certain AI systems can also have an impact on democracy and rule of law and the environment. These concerns are specifically addressed in the critical sectors and use cases listed in the annexes to this Regulation.(1) The purpose of this Regulation is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, marketing and use of artificial intelligence in conformity with Union values. This Regulation pursues a number of overriding reasons of public interest, such as a high level of protection of health, safety and fundamental rights, and it ensures the free movement of AI-based goods and services cross- border, thus preventing Member States from imposing restrictions on the development, marketing and use of AI systems, unless explicitly authorised by this Regulation.(1) The purpose of this Regulation is to improve the functioning of the internal market and promote the uptake of human centric and trustworthy artificial intelligence by laying down a uniform legal framework for the development, marketing, placing on the market, putting into service and use of artificial intelligence in conformity with Union values. This Regulation pursues a number of overriding reasons of public interest, such as a high level of protection of health, safety, fundamental rights, democracy, rule of law and the environment from harmful effects of artificial intelligence systems. It ensures the free movement of AI-based goods and services cross-border, thus preventing Member States from imposing restrictions on the development, marketing and use of AI systems, unless explicitly authorised by this Regulation. Certain AI systems can also have an impact on democracy and rule of law and the environment. These concerns are specifically addressed in the critical sectors and use cases listed in the annexes to this Regulation.
Recital (1a) (new)(1a) This Regulation should preserve the values of the Union facilitating the distribution of artificial intelligence benefits across society, protecting individuals, companies, democracy and rule of law and the environment from risks while boosting innovation and employment and making the Union a leader in the field.This Regulation aims to uphold the values of the Union by facilitating the equitable distribution of benefits derived from artificial intelligence across society. It seeks to protect individuals, companies, democracy, rule of law, and the environment from potential risks, while simultaneously promoting innovation and employment. The ultimate goal is to establish the Union as a leader in the field of artificial intelligence.
Recital (2)(2)  Artificial intelligence systems (AI systems) can be easily deployed in multiple sectors of the economy and society, including cross border, and circulate throughout the Union. Certain Member States have already explored the adoption of national rules to ensure that artificial intelligence is safe and is developed and used in compliance with fundamental rights obligations. Differing national rules may lead to fragmentation of the internal market and decrease legal certainty for operators that develop or use AI systems. A consistent and high level of protection throughout the Union should therefore be ensured, while divergences hampering the free circulation of AI systems and related products and services within the internal market should be prevented, by laying down uniform obligations for operators and guaranteeing the uniform protection of overriding reasons of public interest and of rights of persons throughout the internal market based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). To the extent that this Regulation contains specific rules on the protection of individuals with regard to the processing of personal data concerning restrictions of the use of AI systems for ‘real-time’ remote biometric identification in publicly accessible spaces for the purpose of law enforcement, it is appropriate to base this Regulation, in as far as those specific rules are concerned, on Article 16 of the TFEU. In light of those specific rules and the recourse to Article 16 TFEU, it is appropriate to consult the European Data Protection Board.(2)  AI systems can be easily deployed in multiple sectors of the economy and society, including cross border, and circulate throughout the Union. Certain Member States have already explored the adoption of national rules to ensure that artificial intelligence is trustworthy and safe and is developed and used in compliance with fundamental rights obligations. Differing national rules may lead to fragmentation of the internal market and decrease legal certainty for operators that develop or use AI systems. A consistent and high level of protection throughout the Union should therefore be ensured in order to achieve trustworthy AI, while divergences hampering the free circulation, innovation, deployment and uptake of AI systems and related products and services within the internal market should be prevented, by laying down uniform obligations for operators and guaranteeing the uniform protection of overriding reasons of public interest and of rights of persons throughout the internal market based on Article 114 of the Treaty on the Functioning of the European Union (TFEU).(2) Artificial intelligence systems (AI systems) can be easily deployed in multiple sectors of the economy and society, including cross border, and circulate throughout the Union. Certain Member States have already explored the adoption of national rules to ensure that artificial intelligence is safe and is developed and used in compliance with fundamental rights obligations. Differing national rules may lead to fragmentation of the internal market and decrease legal certainty for operators that develop, import or use AI systems. A consistent and high level of protection throughout the Union should therefore be ensured, while divergences hampering the free circulation of AI systems and related products and services within the internal market should be prevented, by laying down uniform obligations for operators and guaranteeing the uniform protection of overriding reasons of public interest and of rights of persons throughout the internal market based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). To the extent that this Regulation contains specific rules on the protection of individuals with regard to the processing of personal data concerning restrictions of the use of AI systems for ‘real-time’ remote biometric identification in publicly accessible spaces for the purpose of law enforcement, it is appropriate to base this Regulation, in as far as those specific rules are concerned, on Article 16 of the TFEU. In light of those specific rules and the recourse to Article 16 TFEU, it is appropriate to consult the European Data Protection Board.(2) Artificial intelligence systems (AI systems) can be easily deployed in multiple sectors of the economy and society, including cross border, and circulate throughout the Union. Certain Member States have already explored the adoption of national rules to ensure that artificial intelligence is trustworthy, safe and is developed and used in compliance with fundamental rights obligations. Differing national rules may lead to fragmentation of the internal market and decrease legal certainty for operators that develop, import or use AI systems. A consistent and high level of protection throughout the Union should therefore be ensured in order to achieve trustworthy AI, while divergences hampering the free circulation, innovation, deployment and uptake of AI systems and related products and services within the internal market should be prevented, by laying down uniform obligations for operators and guaranteeing the uniform protection of overriding reasons of public interest and of rights of persons throughout the internal market based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). To the extent that this Regulation contains specific rules on the protection of individuals with regard to the processing of personal data concerning restrictions of the use of AI systems for ‘real-time’ remote biometric identification in publicly accessible spaces for the purpose of law enforcement, it is appropriate to base this Regulation, in as far as those specific rules are concerned, on Article 16 of the TFEU. In light of those specific rules and the recourse to Article 16 TFEU, it is appropriate to consult the European Data Protection Board.
Recital (2a) (new)(2a) As artificial intelligence often relies on the processing of large volumes of data, and many AI systems and applications on the processing of personal data, it is appropriate to base this Regulation on Article 16 TFEU, which enshrines the right to the protection of natural persons with regard to the processing of personal data and provides for the adoption of rules on the protection of individuals with regard to the processing of personal data.Given the reliance of artificial intelligence on the processing of large volumes of data, including personal data, this Regulation should be based on Article 16 TFEU. This article upholds the right to the protection of natural persons in relation to the processing of personal data and mandates the adoption of rules for the protection of individuals concerning the processing of personal data.
Recital (2b) (new)(2b)  The fundamental right to the protection of personal data is safeguarded in particular by Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive 2016/680. Directive 2002/58/EC additionally protects private life and the confidentiality of communications, including providing conditions for any personal and non-personal data storing in and access from terminal equipment. Those legal acts provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and nonpersonal data. This Regulation does not seek to affect the application of existing Union law governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments. This Regulation does not affect the fundamental rights to private life and the protection of personal data as provided for by Union law on data protection and privacy and enshrined in the Charter of Fundamental Rights of the European Union (the ‘Charter’).The fundamental right to the protection of personal data is upheld by Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive 2016/680. Directive 2002/58/EC further safeguards private life and the confidentiality of communications, including setting conditions for any personal and non-personal data storage in and access from terminal equipment. These legal acts form the foundation for sustainable and responsible data processing, even when datasets comprise a mix of personal and non-personal data. This Regulation does not aim to alter the application of existing Union law governing the processing of personal data, including the tasks and powers of the independent supervisory authorities responsible for ensuring compliance with these instruments. This Regulation does not impact the fundamental rights to private life and the protection of personal data as stipulated by Union law on data protection and privacy and enshrined in the Charter of Fundamental Rights of the European Union (the ‘Charter’).
Recital (2c) (new)(2c)  Artificial intelligence systems in the Union are subject to relevant product safety legislation that provides a framework protecting consumers against dangerous products in general and such legislation should continue to apply. This Regulation is also without prejudice to the rules laid down by other Union legal acts related to consumer protection and product safety, including including Regulation (EU) 2017/2394, Regulation (EU) 2019/1020 and Directive 2001/95/EC on general product safety and Directive 2013/11/EU.Artificial intelligence systems in the Union are subject to relevant product safety legislation that provides a framework protecting consumers against dangerous products in general. Such legislation should continue to apply. This Regulation is also without prejudice to the rules laid down by other Union legal acts related to consumer protection and product safety, including Regulation (EU) 2017/2394, Regulation (EU) 2019/1020 and Directive 2001/95/EC on general product safety and Directive 2013/11/EU.
Recital (2d) (new)(2d)  In accordance with Article 114(2) TFEU, this Regulation complements and should not undermine the rights and interests of employed persons. This Regulation should therefore not affect Union law on social policy and national labour law and practice, that is any legal and contractual provision concerning employment conditions, working conditions, including health and safety at work and the relationship between employers and workers, including information, consultation and participation. This Regulation should not affect the exercise of fundamental rights as recognised in the Member States and at Union level, including the right or freedom to strike or to take other action covered by the specific industrial relations systems in Member States, in accordance with national law and/or practice. Nor should it affect concertation practices, the right to negotiate, to conclude and enforce collective agreement or to take collective action in accordance with national law and/or practice. It should in any event not prevent the Commission from proposing specific legislation on the rights and freedoms of workers affected by AI systems.In line with Article 114(2) TFEU, this Regulation is designed to complement and not undermine the rights and interests of employed individuals. It should not impact Union law on social policy, national labour law and practice, or any legal and contractual provisions related to employment conditions, working conditions, including health and safety at work, and the relationship between employers and workers, including information, consultation, and participation.

The Regulation should not interfere with the exercise of fundamental rights as recognised in the Member States and at Union level, including the right or freedom to strike or to take other action covered by the specific industrial relations systems in Member States, in accordance with national law and/or practice.

Furthermore, it should not affect concertation practices, the right to negotiate, to conclude and enforce collective agreement or to take collective action in accordance with national law and/or practice.

Lastly, this Regulation should not prevent the Commission from proposing specific legislation on the rights and freedoms of workers affected by AI systems.
Recital (2e) (new)(2e)  This Regulation should not affect the provisions aiming to improve working conditions in platform work set out in Directive … [COD 2021/414/EC].This Regulation should not interfere with the provisions aimed at enhancing working conditions in platform work as outlined in Directive … [COD 2021/414/EC].
Recital (2f) (new)(2f)  This Regulation should help in supporting research and innovation and should not undermine research and development activity and respect freedom of scientific research. It is therefore necessary to exclude from its scope AI systems specifically developed for the sole purpose of scientific research and development and to ensure that the Regulation does not otherwise affect scientific research and development activity on AI systems. Under all circumstances, any research and development activity should be carried out in accordance with the Charter, Union law as well as the national law;This Regulation is intended to support research and innovation, without undermining or affecting research and development activities, while respecting the freedom of scientific research. Therefore, AI systems that are specifically developed for the sole purpose of scientific research and development should be excluded from the scope of this Regulation. It is crucial to ensure that all research and development activities on AI systems are conducted in accordance with the Charter, Union law, and national law.
Recital (3)(3)  Artificial intelligence is a fast evolving family of technologies that can contribute to a wide array of economic and societal benefits across the entire spectrum of industries and social activities. By improving prediction, optimising operations and resource allocation, and personalising digital solutions available for individuals and organisations, the use of artificial intelligence can provide key competitive advantages to companies and support socially and environmentally beneficial outcomes, for example in healthcare, farming, education and training, infrastructure management, energy, transport and logistics, public services, security, justice, resource and energy efficiency, and climate change mitigation and adaptation.(3)  Artificial intelligence is a fast evolving family of technologies that can and already contributes to a wide array of economic, environmental and societal benefits across the entire spectrum of industries and social activities if developed in accordance with relevant general principles in line with the Charter and the values on which the Union is founded. By improving prediction, optimising operations and resource allocation, and personalising digital solutions available for individuals and organisations, the use of artificial intelligence can provide key competitive advantages to companies and support socially and environmentally beneficial outcomes, for example in healthcare, farming, food safety, education and training, media, sports, culture, infrastructure management, energy, transport and logistics, crisis management, public services, security, justice, resource and energy efficiency, environmental monitoring, the conservation and restoration of biodiversity and ecosystems and climate change mitigation and adaptation.(3) Artificial intelligence is a fast evolving family of technologies that can contribute to a wide array of economic and societal benefits across the entire spectrum of industries and social activities. By improving prediction, optimising operations and resource allocation, and personalising digital solutions available for individuals and organisations, the use of artificial intelligence can provide key competitive advantages to companies and support socially and environmentally beneficial outcomes, for example in healthcare, farming, education and training, infrastructure management, energy, transport and logistics, public services, security, justice, resource and energy efficiency, and climate change mitigation and adaptation.(3) Artificial intelligence is a fast evolving family of technologies that can and already contributes to a wide array of economic, environmental and societal benefits across the entire spectrum of industries and social activities if developed in accordance with relevant general principles in line with the Charter and the values on which the Union is founded. By improving prediction, optimising operations and resource allocation, and personalising digital solutions available for individuals and organisations, the use of artificial intelligence can provide key competitive advantages to companies and support socially and environmentally beneficial outcomes. These outcomes can be seen in various sectors such as healthcare, farming, food safety, education and training, media, sports, culture, infrastructure management, energy, transport and logistics, crisis management, public services, security, justice, resource and energy efficiency, environmental monitoring, the conservation and restoration of biodiversity and ecosystems, and climate change mitigation and adaptation.
Recital (3a) (new)(3a)  To contribute to reaching the carbon neutrality targets, European companies should seek to utilise all available technological advancements that can assist in realising this goal. Artificial Intelligence is a technology that has the potential of being used to process the ever-growing amount of data created during industrial, environmental, health and other processes. To facilitate investments in AI-based analysis and optimisation tools, this Regulation should provide a predictable and proportionate environment for low-risk industrial solutions.In order to achieve the carbon neutrality targets, it is crucial for European companies to leverage all available technological advancements. Artificial Intelligence, in particular, holds significant potential for processing the increasing volume of data generated from industrial, environmental, health, and other processes. Therefore, this Regulation should establish a predictable and proportionate environment to encourage investments in AI-based analysis and optimisation tools, specifically for low-risk industrial solutions.
Recital (4)(4)  At the same time, depending on the circumstances regarding its specific application and use, artificial intelligence may generate risks and cause harm to public interests and rights that are protected by Union law. Such harm might be material or immaterial.(4)  At the same time, depending on the circumstances regarding its specific application and use, as well as the level of technological development, artificial intelligence may generate risks and cause harm to public or private interests and fundamental rights of natural persons that are protected by Union law. Such harm might be material or immaterial, including physical, psychological, societal or economic harm.(4) At the same time, depending on the circumstances regarding its specific application and use, artificial intelligence may generate risks and cause harm to public interests and rights that are protected by Union law. Such harm might be material or immaterial.(4) At the same time, depending on the circumstances regarding its specific application and use, as well as the level of technological development, artificial intelligence may generate risks and cause harm to public or private interests and fundamental rights of natural persons that are protected by Union law. Such harm might be material or immaterial, including physical, psychological, societal or economic harm.
Recital (4a) (new)(4a)  Given the major impact that artificial intelligence can have on society and the need to build trust, it is vital for artificial intelligence and its regulatory framework to be developed according to Union values enshrined in Article 2 TEU, the fundamental rights and freedoms enshrined in the Treaties, the Charter, and international human rights law. As a pre-requisite, artificial intelligence should be a human-centric technology. It should not substitute human autonomy or assume the loss of individual freedom and should primarily serve the needs of the society and the common good. Safeguards should be provided to ensure the development and use of ethically embedded artificial intelligence that respects Union values and the Charter.Given the significant societal implications of artificial intelligence and the necessity to foster trust, it is crucial that the development and regulatory framework of artificial intelligence align with the Union values outlined in Article 2 TEU, the fundamental rights and freedoms enshrined in the Treaties, the Charter, and international human rights law. Artificial intelligence should be a human-centric technology, not replacing human autonomy or implying the loss of individual freedom, but primarily serving societal needs and the common good. Measures should be implemented to ensure the development and application of ethically embedded artificial intelligence that respects Union values and the Charter.
Recital (5)(5)  A Union legal framework laying down harmonised rules on artificial intelligence is therefore needed to foster the development, use and uptake of artificial intelligence in the internal market that at the same time meets a high level of protection of public interests, such as health and safety and the protection of fundamental rights, as recognised and protected by Union law. To achieve that objective, rules regulating the placing on the market and putting into service of certain AI systems should be laid down, thus ensuring the smooth functioning of the internal market and allowing those systems to benefit from the principle of free movement of goods and services. By laying down those rules, this Regulation supports the objective of the Union of being a global leader in the development of secure, trustworthy and ethical artificial intelligence, as stated by the European Council33, and it ensures the protection of ethical principles, as specifically requested by the European Parliament34.

——————
33. European Council, Special meeting of the European Council (1 and 2 October 2020) – Conclusions, EUCO 13/20, 2020, p. 6.
34. European Parliament resolution of 20 October 2020 with recommendations to the Commission on a framework of ethical aspects of artificial intelligence, robotics and related technologies, 2020/2012(INL).		(5)  A Union legal framework laying down harmonised rules on artificial intelligence is therefore needed to foster the development, use and uptake of artificial intelligence in the internal market that at the same time meets a high level of protection of public interests, such as health and safety, protection of fundamental rights, democracy and rule of law and the environment, as recognised and protected by Union law. To achieve that objective, rules regulating the placing on the market, the putting into service and the use of certain AI systems should be laid down, thus ensuring the smooth functioning of the internal market and allowing those systems to benefit from the principle of free movement of goods and services. These rules should be clear and robust in protecting fundamental rights, supportive of new innovative solutions, and enabling to a European ecosystem of public and private actors creating AI systems in line with Union values. By laying down those rules as well as measures in support of innovation with a particular focus on SMEs and start-ups, this Regulation supports the objective of promoting the AI made in Europe, of the Union of being a global leader in the development of secure, trustworthy and ethical artificial intelligence, as stated by the European Council33, and it ensures the protection of ethical principles, as specifically requested by the European Parliament34.

——————
33. European Council, Special meeting of the European Council (1 and 2 October 2020) – Conclusions, EUCO 13/20, 2020, p. 6.
34. European Parliament resolution of 20 October 2020 with recommendations to the Commission on a framework of ethical aspects of artificial intelligence, robotics and related technologies, 2020/2012(INL).		A Union legal framework laying down harmonised rules on artificial intelligence is therefore needed to foster the development, use and uptake of artificial intelligence in the internal market that at the same time meets a high level of protection of public interests, such as health and safety and the protection of fundamental rights, as recognised and protected by Union law. To achieve that objective, rules regulating the placing on the market and putting into service of certain AI systems should be laid down, thus ensuring the smooth functioning of the internal market and allowing those systems to benefit from the principle of free movement of goods and services. By laying down those rules and building on the work of the High-level Expert Group on Artificial Intelligence as reflecetd in the Guidelines for Trustworthy Artificial Intelligence in the EU, this Regulation supports the objective of the Union of being a global leader in the development of secure, trustworthy and ethical artificial intelligence as stated by the European Council4, and it ensures the protection of ethical principles, as specifically requested by the European Parliament5.


4. European Council, Special meeting of the European Council (1 and 2 October 2020) – Conclusions, EUCO 13/20, 2020, p. 6.
5. European Parliament resolution of 20 October 2020 with recommendations to the Commission on a framework of ethical aspects of artificial intelligence, robotics and related technologies, 2020/2012(INL).		A Union legal framework laying down harmonised rules on artificial intelligence is therefore needed to foster the development, use and uptake of artificial intelligence in the internal market that at the same time meets a high level of protection of public interests, such as health and safety, protection of fundamental rights, democracy and rule of law and the environment, as recognised and protected by Union law. To achieve that objective, rules regulating the placing on the market, the putting into service and the use of certain AI systems should be laid down, thus ensuring the smooth functioning of the internal market and allowing those systems to benefit from the principle of free movement of goods and services. These rules should be clear and robust in protecting fundamental rights, supportive of new innovative solutions, and enabling to a European ecosystem of public and private actors creating AI systems in line with Union values. By laying down those rules as well as measures in support of innovation with a particular focus on SMEs and start-ups, and building on the work of the High-level Expert Group on Artificial Intelligence as reflected in the Guidelines for Trustworthy Artificial Intelligence in the EU, this Regulation supports the objective of promoting the AI made in Europe, of the Union of being a global leader in the development of secure, trustworthy and ethical artificial intelligence, as stated by the European Council, and it ensures the protection of ethical principles, as specifically requested by the European Parliament.
Recital (5a) (new) [C](5a) The harmonised rules on the placing on the market, putting into service and use of AI systems laid down in this Regulation should apply across sectors and, in line with its New Legislative Framework approach, should be without prejudice to existing Union law, notably on data protection, consumer protection, fundamental rights, employment and product safety, to which this Regulation is complementary. As a consequence all rights and remedies afforded by such Union law to consumers and other persons who may be negatively impacted by AI systems, including as regards the compensation of possible damages pursuant to Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, remain unaffected and fully applicable. On top of that, this Regulation aims to strengthen the effectiveness of such existing rights and remedies by establishing specific requirements and obligations, including in respect of transparency, technical documentation and record-keeping of AI systems. Furthermore, the obligations placed on various operators involved in the AI value chain under this Regulation should apply without prejudice to national laws, in compliance with Union law, having the effect of limiting the use of certain AI systems where such laws fall outside the scope of this Regulation or pursue other legitimate public interest objectives than those pursued by this Regulation. For example, national labour law and the laws on the protection of minors (i.e. persons below the age of 18) taking into account the United Nations General Comment No 25 (2021) on children’s rights, insofar as they are not specific to AI systems and pursue other legimitate public interest objectives, should not be affected by this Regulation.(5a) This Regulation establishes harmonised rules for the marketing, operation, and use of AI systems across all sectors. These rules are in line with the New Legislative Framework approach and do not prejudice existing Union law, including data protection, consumer protection, fundamental rights, employment, and product safety. This Regulation complements these existing laws, ensuring that all rights and remedies provided by such Union law to consumers and other individuals potentially negatively affected by AI systems remain intact and fully applicable. This includes compensation for possible damages under Council Directive 85/374/EEC of 25 July 1985. Additionally, this Regulation seeks to enhance the effectiveness of these existing rights and remedies by setting specific requirements and obligations, including transparency, technical documentation, and record-keeping of AI systems. The obligations imposed on various operators in the AI value chain by this Regulation apply without prejudice to national laws that limit the use of certain AI systems, provided these laws are in compliance with Union law, fall outside the scope of this Regulation, or pursue other legitimate public interest objectives. National labour laws and laws protecting minors (i.e., individuals under 18), in line with the United Nations General Comment No 25 (2021) on children’s rights, should not be affected by this Regulation, provided they are not specific to AI systems and pursue other legitimate public interest objectives.
Recital (5a) (new) [P](5a)  Furthermore, in order to foster the development of AI systems in line with Union values, the Union needs to address the main gaps and barriers blocking the potential of the digital transformation including the shortage of digitally skilled workers, cybersecurity concerns, lack of investment and access to investment, and existing and potential gaps between large companies, SME’s and start-ups. Special attention should be paid to ensuring that the benefits of AI and innovation in new technologies are felt across all regions of the Union and that sufficient investment and resources are provided especially to those regions that may be lagging behind in some digital indicators. In order to promote the growth of AI systems in harmony with Union values, it is crucial to address the primary gaps and obstacles hindering the potential of digital transformation. These include the scarcity of digitally skilled workers, cybersecurity issues, insufficient investment and access to investment, and the existing and potential disparities between large corporations, SMEs, and start-ups. It is important to ensure that the advantages of AI and innovation in new technologies are experienced across all regions of the Union. Special focus should be given to providing adequate investment and resources, particularly to those regions that may be trailing in certain digital indicators.
Recital (6)(6)  The notion of AI system should be clearly defined to ensure legal certainty, while providing the flexibility to accommodate future technological developments. The definition should be based on the key functional characteristics of the softwarein particular the ability, for a given set of human-defined objectives, to generate outputs such as content, predictions, recommendations, or decisions which influence the environment with which the system interacts, be it in a physical or digital dimension. AI systems can be designed to operate with varying levels of autonomy and be used on a stand-alone basis or as a component of a product, irrespective of whether the system is physically integrated into the product (embedded) or serve the functionality of the product without being integrated therein (non-embedded). The definition of AI system should be complemented by a list of specific techniques and approaches used for its development, which should be kept up-to–date in the light of market and technological developments through the adoption of delegated acts by the Commission to amend that list.(6)  The notion of AI system in this Regulation should be clearly defined and closely aligned with the work of international organisations working on artificial intelligence to ensure legal certainty, harmonization and wide acceptance, while providing the flexibility to accommodate the rapidtechnological developments in this field. Moreover, it should be based on key characteristics of artificial intelligence, such as its learning, reasoning or modelling capabilities, so as to distinguish it from simpler software systems or programming approaches. AI systems are designed to operate with varying levels of autonomy, meaning that they have at least some degree of independence of actions from human controls and of capabilities to operate without human intervention. The term “machine-based” refers to the fact that AI systems run on machines. The reference to explicit or implicit objectives underscores that AI systems can operate according to explicit human-defined objectives or to implicit objectives. The objectives of the AI system may be different from the intended purpose of the AI system in a specific context. The reference to predictions includes content, which is considered in this Regulation a form of prediction as one of the possible outputs produced by an AI system. For the purposes of this Regulation, environments should be understood as the contexts in which the AI systems operate, whereas outputs generated by the AI system, meaning predictions, recommendations or decisions, respond to the objectives of the system, on the basis of inputs from said environmentSuch output further influences said environment, even by merely introducing new information to it. (6) The notion of AI system should be clearly defined to ensure legal certainty, while providing the flexibility to accommodate future technological developments. The definition should be based on key functional characteristics of artificial intelligence such as its learning, reasoning or modelling capabilities, distinguishing it from simpler software systems and programming approaches. In particular, for the purposes of this Regulation AI systems should have the ability, on the basis of machine and/or human-based data and inputs, to infer the way to achieve a set of final objectives given to them by humans, using machine learning and/or logic- and knowledge based approaches and to produce outputs such as content for generative AI systems (e.g. text, video or images), predictions, recommendations or decisions, influencing the environment with which the system interacts, be it in a physical or digital dimension. A system that uses rules defined solely by natural persons to automatically execute operations should not be considered an AI system. AI systems can be designed to operate with varying levels of autonomy and be used on a stand-alone basis or as a component of a product, irrespective of whether the system is physically integrated into the product (embedded) or serve the functionality of the product without being integrated therein (non-embedded). The concept of the autonomy of an AI system relates to the degree to which such a system functions without human involvement.(6) The notion of AI system in this Regulation should be clearly defined to ensure legal certainty, harmonization, and wide acceptance, while providing the flexibility to accommodate future and rapid technological developments. The definition should be based on key functional characteristics of the software, particularly its learning, reasoning, or modelling capabilities, distinguishing it from simpler software systems or programming approaches. AI systems are designed to operate with varying levels of autonomy, meaning that they have at least some degree of independence of actions from human controls and capabilities to operate without human intervention. For a given set of human-defined objectives, AI systems should have the ability to generate outputs such as content, predictions, recommendations, or decisions which influence the environment with which the system interacts, be it in a physical or digital dimension. The objectives of the AI system may be different from the intended purpose of the AI system in a specific context. AI systems can be used on a stand-alone basis or as a component of a product, irrespective of whether the system is physically integrated into the product (embedded) or serve the functionality of the product without being integrated therein (non-embedded). The concept of the autonomy of an AI system relates to the degree to which such a system functions without human involvement. The definition of AI system should be complemented by a list of specific techniques and approaches used for its development, which should be kept up-to-date in the light of market and technological developments through the adoption of delegated acts by the Commission to amend that list. This definition should be closely aligned with the work of international organisations working on artificial intelligence.
Recital (6a) (new)(6a)  AI systems often have machine learning capacities that allow them to adapt and perform new tasks autonomously. Machine learning refers to the computational process of optimizing the parameters of a model from data, which is a mathematical construct generating an output based on input data. Machine learning approaches include, for instance, supervised, unsupervised and reinforcement learning, using a variety of methods including deep learning with neural networks. This Regulation is aimed at addressing new potential risks that may arise by delegating control to AI systems, in particular to those AI systems that can evolve after deployment. The function and outputs of many of these AI systems are based on abstract mathematical relationships that are difficult for humans to understand, monitor and trace back to specific inputs. These complex and opaque characteristics (black box element) impact accountability and explainability. Comparably simpler techniques such as knowledge-based approaches, Bayesian estimation or decision-trees may also lead to legal gaps that need to be addressed by this Regulation, in particular when they are used in combination with machine learning approaches in hybrid systems.(6a) Machine learning approaches focus on the development of systems capable of learning and inferring from data to solve an application problem without being explicitly programmed with a set of step-by-step instructions from input to output. Learning refers to the computational process of optimizing from data the parameters of the model, which is a mathematical construct generating an output based on input data. The range of problems addressed by machine learning typically involves tasks for which other approaches fail, either because there is no suitable formalisation of the problem, or because the resolution of the problem is intractable with non-learning approaches. Machine learning approaches include for instance supervised, unsupervised and reinforcement learning, using a variety of methods including deep learning with neural networks, statistical techniques for learning and inference (including for instance logistic regression, Bayesian estimation) and search and optimisation methods.(6a) AI systems, particularly those with machine learning capacities, are capable of adapting and performing new tasks autonomously. Machine learning refers to the computational process of optimizing the parameters of a model from data, which is a mathematical construct generating an output based on input data. This process allows systems to learn and infer from data to solve an application problem without being explicitly programmed with a set of step-by-step instructions. Machine learning approaches include, for instance, supervised, unsupervised and reinforcement learning, using a variety of methods including deep learning with neural networks, statistical techniques for learning and inference such as logistic regression, Bayesian estimation, and search and optimisation methods.

These AI systems often address tasks for which other approaches fail, either because there is no suitable formalisation of the problem, or because the resolution of the problem is intractable with non-learning approaches. However, the function and outputs of many of these AI systems are based on abstract mathematical relationships that are difficult for humans to understand, monitor and trace back to specific inputs. These complex and opaque characteristics, often referred to as the ‘black box’ element, impact accountability and explainability.

This Regulation is aimed at addressing new potential risks that may arise by delegating control to AI systems, especially those that can evolve after deployment. Simpler techniques such as knowledge-based approaches, Bayesian estimation or decision-trees may also lead to legal gaps that need to be addressed by this Regulation, particularly when they are used in combination with machine learning approaches in hybrid systems.
Recital (6b) (new) [C](6b) Logic- and knowledge based approaches focus on the development of systems with logical reasoning capabilities on knowledge to solve an application problem. Such systems typically involve a knowledge base and an inference engine that generates outputs by reasoning on the knowledge base. The knowledge base, which is usually encoded by human experts, represents entities and logical relationships relevant for the application problem through formalisms based on rules, ontologies, or knowledge graphs. The inference engine acts on the knowledge base and extracts new information through operations such as sorting, searching, matching or chaining. Logic- and knowledge based approaches include for instance knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning, expert systems and search and optimisation methods.Logic- and knowledge-based approaches are centered on the creation of systems that utilize logical reasoning capabilities to address a specific application problem. These systems typically comprise a knowledge base and an inference engine. The knowledge base, often encoded by human experts, represents entities and logical relationships pertinent to the application problem through formalisms such as rules, ontologies, or knowledge graphs. The inference engine operates on the knowledge base, generating outputs and extracting new information through operations like sorting, searching, matching, or chaining. Examples of logic- and knowledge-based approaches include knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning, expert systems, and search and optimisation methods.
Recital (6b) (new) [P](6b)  AI systems can be used as stand-alone software system, integrated into a physical product (embedded), used to serve the functionality of a physical product without being integrated therein (non-embedded) or used as an AI component of a larger system. If this larger system would not function without the AI component in question, then the entire larger system should be considered as one single AI system under this Regulation.AI systems can be utilized in various forms such as stand-alone software systems, integrated into a physical product (embedded), used to serve the functionality of a physical product without being integrated therein (non-embedded), or used as an AI component of a larger system. In cases where the larger system would not function without the AI component, the entire larger system should be considered as a single AI system under this Regulation.
Recital (6c) (new)(6c) In order to ensure uniform conditions for the implementation of this Regulation as regards machine learning approaches and logic- and knowledged based approaches and to take account of market and technological developments, implementing powers should be conferred on the Commission.In order to ensure uniform conditions for the implementation of this Regulation, particularly in relation to machine learning approaches and logic- and knowledge-based approaches, and to accommodate market and technological developments, implementing powers should be conferred on the Commission.
Recital (6d) (new)(6d) The notion of ‘user’ referred to in this Regulation should be interpreted as any natural or legal person, including a public authority, agency or other body, using an AI system under whose authority the system is used. Depending on the type of AI system, the use of the system may affect persons other than the user.(6d) The term ‘user’ as mentioned in this Regulation should be understood as any natural or legal entity, encompassing a public authority, agency, or other bodies, that operates an AI system under their authority. The use of the AI system may have implications for individuals other than the user, depending on the specific type of AI system in use.
Recital (7)(7)  The notion of biometric data used in this Regulation is in line with and should be interpreted consistently with the notion of biometric data as defined in Article 4(14) of Regulation (EU) 2016/679 of the European Parliament and of the Council35 , Article 3(18) of Regulation (EU) 2018/1725 of the European Parliament and of the Council36 and Article 3(13) of Directive (EU) 2016/680 of the European Parliament and of the Council37 .

—————-
35. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

36. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39)

37. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Law Enforcement Directive) (OJ L 119, 4.5.2016, p. 89).		(7)  The notion of biometric data used in this Regulation is in line with and should be interpreted consistently with the notion of biometric data as defined in Article 4(14) of Regulation (EU) 2016/679 of the European Parliament and of the Council35. Biometrics-based data are additional data resulting from specific technical processing relating to physical, physiological or behavioural signals of a natural person, such as facial expressions, movements, pulse frequency, voice, key strikes or gait, which may or may not allow or confirm the unique identification of a natural person.

_
35. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).		(7) The notion of biometric data used in this Regulation should be interpreted consistently with the notion of biometric data as defined in Article 4(14) of Regulation (EU) 2016/679 of the European Parliament and of the Council6, Article 3(18) of Regulation (EU) 2018/1725 of the European Parliament and of the Council7 and Article 3(13) of Directive (EU) 2016/680 of the European Parliament and of the Council8.

_
6. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

7. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39)

8. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (Law Enforcement Directive) (OJ L 119, 4.5.2016, p. 89).		(7) The notion of biometric data used in this Regulation is in line with and should be interpreted consistently with the notion of biometric data as defined in Article 4(14) of Regulation (EU) 2016/679 of the European Parliament and of the Council35, Article 3(18) of Regulation (EU) 2018/1725 of the European Parliament and of the Council36, and Article 3(13) of Directive (EU) 2016/680 of the European Parliament and of the Council37. Biometrics-based data are additional data resulting from specific technical processing relating to physical, physiological or behavioural signals of a natural person, such as facial expressions, movements, pulse frequency, voice, key strikes or gait, which may or may not allow or confirm the unique identification of a natural person.
Recital (7a) (new)(7a)  The notion of biometric identification as used in this Regulation should be defined as the automated recognition of physical, physiological, behavioural, and psychological human features such as the face, eye movement, facial expressions, body shape, voice, speech, gait, posture, heart rate, blood pressure, odour, keystrokes, psychological reactions (anger, distress, grief, etc.) for the purpose of establishing an individual’s identity by comparing biometric data of that individual to stored biometric data of individuals in a database (one-to-many identification), irrespective of whether the individual has given its consent or not.The concept of biometric identification, as applied in this Regulation, should be understood as the automated recognition of physical, physiological, behavioural, and psychological human characteristics such as the face, eye movement, facial expressions, body shape, voice, speech, gait, posture, heart rate, blood pressure, odour, keystrokes, psychological reactions (anger, distress, grief, etc.) with the aim of confirming an individual’s identity. This is achieved by comparing the biometric data of the individual with the stored biometric data of individuals in a database (one-to-many identification), regardless of whether the individual has given their consent or not.
Recital (7b) (new)(7b)  The notion of biometric categorisation as used in this Regulation should be defined as assigning natural persons to specific categories or inferring their characteristics and attributes such as gender, sex, age, hair colour, eye colour, tattoos, ethnic or social origin, health, mental or physical ability, behavioural or personality, traits language, religion, or membership of a national minority or sexual or political orientation on the basis of their biometric or biometric-based data, or which can be inferred from such data.The concept of biometric categorisation, as referred to in this Regulation, should be defined as the process of assigning natural persons to specific categories or deducing their characteristics and attributes. These may include gender, sex, age, hair colour, eye colour, tattoos, ethnic or social origin, health status, mental or physical ability, behavioural or personality traits, language, religion, membership of a national minority, or sexual or political orientation. This categorisation is based on their biometric or biometric-based data, or information that can be inferred from such data.
Recital (8)(8)  The notion of remote biometric identification system as used in this Regulation should be defined functionally, as an AI system intended for the identification of natural persons at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database, and without prior knowledge whether the targeted person will be present and can be identified, irrespectively of the particular technology, processes or types of biometric data used. Considering their different characteristics and manners in which they are used, as well as the different risks involved, a distinction should be made between ‘real-time’ and ‘post’ remote biometric identification systems. In the case of ‘real-time’ systems, the capturing of the biometric data, the comparison and the identification occur all instantaneously, near-instantaneously or in any event without a significant delay. In this regard, there should be no scope for circumventing the rules of this Regulation on the ‘real-time’ use of the AI systems in question by providing for minor delays. ‘Real-time’ systems involve the use of ‘live’ or ‘near-‘live’ material, such as video footage, generated by a camera or other device with similar functionality. In the case of ‘post’ systems, in contrast, the biometric data have already been captured and the comparison and identification occur only after a significant delay. This involves material, such as pictures or video footage generated by closed circuit television cameras or private devices, which has been generated before the use of the system in respect of the natural persons concerned.(8)  The notion of remote biometric identification system as used in this Regulation should be defined functionally, as an AI system intended for the identification of natural persons at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database, and without prior knowledge whether the targeted person will be present and can be identified, irrespectively of the particular technology, processes or types of biometric data used, exlcuding verification systems which merely compare the biometric data of an individual to their previously provided biometric data (one-to-one). Considering their different characteristics and manners in which they are used, as well as the different risks involved, a distinction should be made between ‘real-time’ and ‘post’ remote biometric identification systems. In the case of ‘real-time’ systems, the capturing of the biometric data, the comparison and the identification occur all instantaneously, near-instantaneously or in any event without a significant delay. In this regard, there should be no scope for circumventing the rules of this Regulation on the ‘real-time’ use of the AI systems in question by providing for minor delays. ‘Real-time’ systems involve the use of ‘live’ or ‘near-‘live’ material, such as video footage, generated by a camera or other device with similar functionality. In the case of ‘post’ systems, in contrast, the biometric data have already been captured and the comparison and identification occur only after a significant delay. This involves material, such as pictures or video footage generated by closed circuit television cameras or private devices, which has been generated before the use of the system in respect of the natural persons concerned. Given that the notion of biometric identification is independent from the individual’s consent, this definition applies even when warning notices are placed in the location that is under surveillance of the remote biometric identification system, and is not de facto annulled by pre-enrolment.(8) The notion of remote biometric identification system as used in this Regulation should be defined functionally, as an AI system intended for the identification of natural persons typically at a distance, without their active involvement, through the comparison of a person’s biometric data with the biometric data contained in a reference data repository, irrespectively of the particular technology, processes or types of biometric data used. Such remote biometric identification systems are typically used to perceive (scan) multiple persons or their behaviour simultaneously in order to facilitate significantly the identification of a number of persons without their active involvement. Such a definition excludes verification/authentication systems whose sole purpose would be to confirm that a specific natural person is the person he or she claims to be, as well as systems that are used to confirm the identity of a natural person for the sole purpose of having access to a service, a device or premises. This exclusion is justified by the fact that such systems are likely to have a minor impact on fundamental rights of natural persons compared to remote biometric identification systems which may be used for the processing of the biometric data of a large number of persons. In the case of ‘real-time’ systems, the capturing of the biometric data, the comparison and the identification occur all instantaneously, near-instantaneously or in any event without a significant delay. In this regard, there should be no scope for circumventing the rules of this Regulation on the ‘real-time’ use of the AI systems in question by providing for minor delays. ‘Real-time’ systems involve the use of ‘live’ or ‘near-‘live’ material, such as video footage, generated by a camera or other device with similar functionality. In the case of ‘post’ systems, in contrast, the biometric data have already been captured and the comparison and identification occur only after a significant delay. This involves material, such as pictures or video footage generated by closed circuit television cameras or private devices, which has been generated before the use of the system in respect of the natural persons concerned. (8) The notion of remote biometric identification system as used in this Regulation should be defined functionally, as an AI system intended for the identification of natural persons at a distance, without their active involvement, through the comparison of a person’s biometric data with the biometric data contained in a reference database or data repository, and without prior knowledge whether the targeted person will be present and can be identified, irrespectively of the particular technology, processes or types of biometric data used. This definition excludes verification/authentication systems whose sole purpose would be to confirm that a specific natural person is the person he or she claims to be, as well as systems that are used to confirm the identity of a natural person for the sole purpose of having access to a service, a device or premises, and verification systems which merely compare the biometric data of an individual to their previously provided biometric data (one-to-one). Considering their different characteristics and manners in which they are used, as well as the different risks involved, a distinction should be made between ‘real-time’ and ‘post’ remote biometric identification systems. In the case of ‘real-time’ systems, the capturing of the biometric data, the comparison and the identification occur all instantaneously, near-instantaneously or in any event without a significant delay. In this regard, there should be no scope for circumventing the rules of this Regulation on the ‘real-time’ use of the AI systems in question by providing for minor delays. ‘Real-time’ systems involve the use of ‘live’ or ‘near-‘live’ material, such as video footage, generated by a camera or other device with similar functionality. In the case of ‘post’ systems, in contrast, the biometric data have already been captured and the comparison and identification occur only after a significant delay. This involves material, such as pictures or video footage generated by closed circuit television cameras or private devices, which has been generated before the use of the system in respect of the natural persons concerned. Given that the notion of biometric identification is independent from the individual’s consent, this definition applies even when warning notices are placed in the location that is under surveillance of the remote biometric identification system, and is not de facto annulled by pre-enrolment.
Recital (8a) (new)(8a)  The identification of natural persons at a distance is understood to distinguish remote biometric identification systems from close proximity individual verification systems using biometric identification means, whose sole purpose is to confirm whether or not a specific natural person presenting themselves for identification is permitted, such as in order to gain access to a service, a device, or premises.The identification of natural persons at a distance refers to the use of remote biometric identification systems, which are distinct from close proximity individual verification systems that utilize biometric identification means. The primary function of these close proximity systems is to verify whether a specific natural person presenting themselves for identification is authorized, for instance, to access a service, a device, or premises.
Recital (9)(9)  For the purposes of this Regulation the notion of publicly accessible space should be understood as referring to any physical place that is accessible to the public, irrespective of whether the place in question is privately or publicly owned. Therefore, the notion does not cover places that are private in nature and normally not freely accessible for third parties, including law enforcement authorities, unless those parties have been specifically invited or authorised, such as homes, private clubs, offices, warehouses and factories. Online spaces are not covered either, as they are not physical spaces. However, the mere fact that certain conditions for accessing a particular space may apply, such as admission tickets or age restrictions, does not mean that the space is not publicly accessible within the meaning of this Regulation. Consequently, in addition to public spaces such as streets, relevant parts of government buildings and most transport infrastructure, spaces such as cinemas, theatres, shops and shopping centres are normally also publicly accessible. Whether a given space is accessible to the public should however be determined on a case-by-case basis, having regard to the specificities of the individual situation at hand.(9)  For the purposes of this Regulation the notion of publicly accessible space should be understood as referring to any physical place that is accessible to the public, irrespective of whether the place in question is privately or publicly owned and regardless of the potential capacity restrictions. Therefore, the notion does not cover places that are private in nature and normally not freely accessible for third parties, including law enforcement authorities, unless those parties have been specifically invited or authorised, such as homes, private clubs, offices, warehouses and factories. Online spaces are not covered either, as they are not physical spaces. However, the mere fact that certain conditions for accessing a particular space may apply, such as admission tickets or age restrictions, does not mean that the space is not publicly accessible within the meaning of this Regulation. Consequently, in addition to public spaces such as streets, relevant parts of government buildings and most transport infrastructure, spaces such as cinemas, theatres, sports grounds, schools, universities, relevant parts of hospitals and banks, amusement parks, festivals, shops and shopping centres are normally also publicly accessible. Whether a given space is accessible to the public should however be determined on a case-by-case basis, having regard to the specificities of the individual situation at hand.(9) For the purposes of this Regulation the notion of publicly accessible space should be understood as referring to any physical place that is accessible to an undetermined number of natural persons, and irrespective of whether the place in question is privately or publicly owned and irrepective of the activity for which the place may be used, such as commerce (for instance, shops, restaurants, cafés), services (for instance, banks, professional activities, hospitality), sport (for instance, swimming pools, gyms, stadiums), transport (for instance, bus, metro and railway stations, airports, means of transport ), entertainment (for instance, cinemas, theatres, museums, concert and conference halls) leisure or otherwise (for instance, public roads and squares, parks, forests, playgrounds). A place should be classified as publicly accessible also if, regardless of potential capacity or security restrictions, access is subject to certain predetermined conditions, which can be fulfilled by an undetermined number of persons, such as purchase of a ticket or title of transport, prior registration or having a certain age. By contrast, a place should not be considered publicly accessible if access is limited to specific and defined natural persons through either Union or national law directly related to public safety or security or through the clear manifestation of will by the person having the relevant authority on the place. The factual possibility of access alone (e.g. an unlocked door, an open gate in a fence) does not imply that the place is publicly accessible in the presence of indications or circumstances suggesting the contrary (e.g. signs prohibiting or restricting access). Company and factory premises as well as offices and workplaces that are intended to be accessed only by relevant employees and service providers are places that are not publicly accessible. Publicly accessible spaces should not include prisons or border control areas. Some other areas may be composed of both not publicly accessible and publicly accessible areas, such as the hallway of a private residential building necessary to access a doctor’s office or an airport. Online spaces are not covered either, as they are not physical spaces. Whether a given space is accessible to the public should however be determined on a case-by-case basis, having regard to the specificities of the individual situation at hand.(9) For the purposes of this Regulation, the notion of publicly accessible space should be understood as referring to any physical place that is accessible to the public or an undetermined number of natural persons, irrespective of whether the place in question is privately or publicly owned, and regardless of the potential capacity restrictions or the activity for which the place may be used. Therefore, the notion does not cover places that are private in nature and normally not freely accessible for third parties, including law enforcement authorities, unless those parties have been specifically invited or authorised, such as homes, private clubs, offices, warehouses, factories, company and factory premises as well as offices and workplaces that are intended to be accessed only by relevant employees and service providers. Online spaces are not covered either, as they are not physical spaces. However, the mere fact that certain conditions for accessing a particular space may apply, such as admission tickets, age restrictions, purchase of a ticket or title of transport, prior registration or having a certain age, does not mean that the space is not publicly accessible within the meaning of this Regulation. Consequently, in addition to public spaces such as streets, relevant parts of government buildings and most transport infrastructure, spaces such as cinemas, theatres, museums, concert and conference halls, sports grounds, schools, universities, relevant parts of hospitals and banks, amusement parks, festivals, shops, shopping centres, restaurants, cafés, swimming pools, gyms, stadiums, bus, metro and railway stations, airports, means of transport, public roads and squares, parks, forests, playgrounds are normally also publicly accessible. Publicly accessible spaces should not include prisons or border control areas. Some other areas may be composed of both not publicly accessible and publicly accessible areas, such as the hallway of a private residential building necessary to access a doctor’s office or an airport. Whether a given space is accessible to the public should however be determined on a case-by-case basis, having regard to the specificities of the individual situation at hand.
Recital (9a) (new)(9a)  It is important to note that AI systems should make best efforts to respect general principles establishing a high-level framework that promotes a coherent human-centric approach to ethical and trustworthy AI in line with the Charter of Fundamental Rights of the European Union and the values on which the Union is founded, including the protection of fundamental rights, human agency and oversight, technical robustness and safety, privacy and data governance, transparency, non-discrimination and fairness and societal and environmental wellbeing.AI systems should strive to uphold general principles that establish a high-level framework promoting a coherent, human-centric approach to ethical and trustworthy AI. This approach should be in line with the Charter of Fundamental Rights of the European Union and the values on which the Union is founded. These values include the protection of fundamental rights, human agency and oversight, technical robustness and safety, privacy and data governance, transparency, non-discrimination and fairness, and societal and environmental wellbeing. It is crucial that AI systems make their best efforts to respect these principles.
Recital (9b) (new)(9b)  ‘AI literacy’ refers to skills, knowledge and understanding that allows providers, users and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause and thereby promote its democratic control. AI literacy should not be limited to learning about tools and technologies, but should also aim to equip providers and users with the notions and skills required to ensure compliance with and enforcement of this Regulation. It is therefore necessary that the Commission, the Member States as well as providers and users of AI systems, in cooperation with all relevant stakeholders, promote the development of a sufficient level of AI literacy, in all sectors of society, for people of all ages, including women and girls, and that progress in that regard is closely followed.AI literacy’ is defined as the skills, knowledge, and understanding that enable providers, users, and those affected by AI, considering their respective rights and obligations under this Regulation, to make informed decisions about the deployment of AI systems. This includes awareness of the opportunities and risks of AI, the potential harm it can cause, and the promotion of its democratic control. AI literacy should extend beyond learning about tools and technologies, and should also aim to equip providers and users with the necessary notions and skills to ensure compliance with and enforcement of this Regulation. Therefore, it is crucial that the Commission, Member States, providers, and users of AI systems, in collaboration with all relevant stakeholders, promote the development of a sufficient level of AI literacy across all sectors of society and for people of all ages, including women and girls. Progress in this area should be closely monitored.
Recital (10)(10)  In order to ensure a level playing field and an effective protection of rights and freedoms of individuals across the Union, the rules established by this Regulation should apply to providers of AI systems in a non-discriminatory manner, irrespective of whether they are established within the Union or in a third country, and to users of AI systems established within the Union.(10)  In order to ensure a level playing field and an effective protection of rights and freedoms of individuals across the Union and on international level, the rules established by this Regulation should apply to providers of AI systems in a non-discriminatory manner, irrespective of whether they are established within the Union or in a third country, and to deployers of AI systems established within the Union. In order for the Union to be true to its fundamental values, AI systems intended to be used for practices that are considered unacceptable by this Regulation, should equally be deemed to be unacceptable outside the Union because of their particularly harmful effect to fundamental rights as enshrined in the Charter. Therefore it is appropriate to prohibit the export of such AI systems to third countries by providers residing in the Union.(10) In order to ensure a level playing field and an effective protection of rights and freedoms of individuals across the Union, the rules established by this Regulation should apply to providers of AI systems in a non-discriminatory manner, irrespective of whether they are established within the Union or in a third country, and to users of AI systems established within the Union.(10) In order to ensure a level playing field and an effective protection of rights and freedoms of individuals across the Union and on an international level, the rules established by this Regulation should apply to providers of AI systems in a non-discriminatory manner, irrespective of whether they are established within the Union or in a third country, and to users and deployers of AI systems established within the Union. In order for the Union to be true to its fundamental values, AI systems intended to be used for practices that are considered unacceptable by this Regulation, should equally be deemed to be unacceptable outside the Union because of their particularly harmful effect to fundamental rights as enshrined in the Charter. Therefore it is appropriate to prohibit the export of such AI systems to third countries by providers residing in the Union.
Recital (11)(11)  In light of their digital nature, certain AI systems should fall within the scope of this Regulation even when they are neither placed on the market, nor put into service, nor used in the Union. This is the case for example of an operator established in the Union that contracts certain services to an operator established outside the Union in relation to an activity to be performed by an AI system that would qualify as high-risk and whose effects impact natural persons located in the Union. In those circumstances, the AI system used by the operator outside the Union could process data lawfully collected in and transferred from the Union, and provide to the contracting operator in the Union the output of that AI system resulting from that processing, without that AI system being placed on the market, put into service or used in the Union. To prevent the circumvention of this Regulation and to ensure an effective protection of natural persons located in the Union, this Regulation should also apply to providers and users of AI systems that are established in a third country, to the extent the output produced by those systems is used in the Union. Nonetheless, to take into account existing arrangements and special needs for cooperation with foreign partners with whom information and evidence is exchanged, this Regulation should not apply to public authorities of a third country and international organisations when acting in the framework of international agreements concluded at national or European level for law enforcement and judicial cooperation with the Union or with its Member States. Such agreements have been concluded bilaterally between Member States and third countries or between the European Union, Europol and other EU agencies and third countries and international organisations.(11)  In light of their digital nature, certain AI systems should fall within the scope of this Regulation even when they are neither placed on the market, nor put into service, nor used in the Union. This is the case for example of an operator established in the Union that contracts certain services to an operator established outside the Union in relation to an activity to be performed by an AI system that would qualify as high-risk and whose effects impact natural persons located in the Union. In those circumstances, the AI system used by the operator outside the Union could process data lawfully collected in and transferred from the Union, and provide to the contracting operator in the Union the output of that AI system resulting from that processing, without that AI system being placed on the market, put into service or used in the Union. To prevent the circumvention of this Regulation and to ensure an effective protection of natural persons located in the Union, this Regulation should also apply to providers and users deployers of AI systems that are established in a third country, to the extent the output produced by those systems is intended to be used in the Union. Nonetheless, to take into account existing arrangements and special needs for cooperation with foreign partners with whom information and evidence is exchanged, this Regulation should not apply to public authorities of a third country and international organisations when acting in the framework of international agreements concluded at national or European level for law enforcement and judicial cooperation with the Union or with its Member States. Such agreements have been concluded bilaterally between Member States and third countries or between the European Union, Europol and other EU agencies and third countries and international organisations. This exception should nevertheless be limited to trusted countries and international organisation that share Union values.(11) In light of their digital nature, certain AI systems should fall within the scope of this Regulation even when they are neither placed on the market, nor put into service, nor used in the Union. This is the case for example of an operator established in the Union that contracts certain services to an operator established outside the Union in relation to an activity to be performed by an AI system that would qualify as high-risk. In those circumstances, the AI system used by the operator outside the Union could process data lawfully collected in and transferred from the Union, and provide to the contracting operator in the Union the output of that AI system resulting from that processing, without that AI system being placed on the market, put into service or used in the Union. To prevent the circumvention of this Regulation and to ensure an effective protection of natural persons located in the Union, this Regulation should also apply to providers and users of AI systems that are established in a third country, to the extent the output produced by those systems is used in the Union. Nonetheless, to take into account existing arrangements and special needs for future cooperation with foreign partners with whom information and evidence is exchanged, this Regulation should not apply to public authorities of a third country and international organisations when acting in the framework of international agreements concluded at national or European level for law enforcement and judicial cooperation with the Union or with its Member States. Such agreements have been concluded bilaterally between Member States and third countries or between the European Union, Europol and other EU agencies and third countries and international organisations. Recipient Member States authorities and Union institutions, offices, bodies and bodies making use of such outputs in the Union remain accountable to ensure their use comply with Union law. When those international agreements are revised or new ones are concluded in the future, the contracting parties should undertake the utmost effort to align those agreements with the requirements of this Regulation.(11) In light of their digital nature, certain AI systems should fall within the scope of this Regulation even when they are neither placed on the market, nor put into service, nor used in the Union. This is the case for example of an operator established in the Union that contracts certain services to an operator established outside the Union in relation to an activity to be performed by an AI system that would qualify as high-risk and whose effects impact natural persons located in the Union. In those circumstances, the AI system used by the operator outside the Union could process data lawfully collected in and transferred from the Union, and provide to the contracting operator in the Union the output of that AI system resulting from that processing, without that AI system being placed on the market, put into service or used in the Union. To prevent the circumvention of this Regulation and to ensure an effective protection of natural persons located in the Union, this Regulation should also apply to providers and users deployers of AI systems that are established in a third country, to the extent the output produced by those systems is intended to be used in the Union. Nonetheless, to take into account existing arrangements and special needs for future cooperation with foreign partners with whom information and evidence is exchanged, this Regulation should not apply to public authorities of a third country and international organisations when acting in the framework of international agreements concluded at national or European level for law enforcement and judicial cooperation with the Union or with its Member States. Such agreements have been concluded bilaterally between Member States and third countries or between the European Union, Europol and other EU agencies and third countries and international organisations. This exception should nevertheless be limited to trusted countries and international organisation that share Union values. Recipient Member States authorities and Union institutions, offices, bodies and bodies making use of such outputs in the Union remain accountable to ensure their use comply with Union law. When those international agreements are revised or new ones are concluded in the future, the contracting parties should undertake the utmost effort to align those agreements with the requirements of this Regulation.
Recital (12)(12)  This Regulation should also apply to Union institutions, offices, bodies and agencies when acting as a provider or user of an AI system. AI systems exclusively developed or used for military purposes should be excluded from the scope of this Regulation where that use falls under the exclusive remit of the Common Foreign and Security Policy regulated under Title V of the Treaty on the European Union (TEU). This Regulation should be without prejudice to the provisions regarding the liability of intermediary service providers set out in Directive 2000/31/EC of the European Parliament and of the Council [as amended by the Digital Services Act].(12)  This Regulation should also apply to Union institutions, offices, bodies and agencies when acting as a provider or deployer of an AI system. AI systems exclusively developed or used for military purposes should be excluded from the scope of this Regulation where that use falls under the exclusive remit of the Common Foreign and Security Policy regulated under Title V of the Treaty on the European Union (TEU). This Regulation should be without prejudice to the provisions regarding the liability of intermediary service providers set out in Directive 2000/31/EC of the European Parliament and of the Council [as amended by the Digital Services Act].(12) This Regulation should also apply to Union institutions, offices, bodies and agencies when acting as a provider or user of an AI system.(12) This Regulation should also apply to Union institutions, offices, bodies and agencies when acting as a provider, user, or deployer of an AI system. AI systems exclusively developed or used for military purposes should be excluded from the scope of this Regulation where that use falls under the exclusive remit of the Common Foreign and Security Policy regulated under Title V of the Treaty on the European Union (TEU). This Regulation should be without prejudice to the provisions regarding the liability of intermediary service providers set out in Directive 2000/31/EC of the European Parliament and of the Council [as amended by the Digital Services Act].
Recital (-12a) (new)(-12a) If and insofar AI systems are placed on the market, put into service, or used with or without modification of such systems for military, defence or national security purposes, those should be excluded from the scope of this Regulation regardless of which type of entity is carrying out those activities, such as whether it is a public or private entity. As regards military and defence purposes, such exclusion is justified both by Article 4(2) TEU and by the specifities of the Member States’ and the common Union defence policy covered by Chapter 2 of Title V of the Treaty on European Union (TEU) that are subject to public international law, which is therefore the more appropriate legal framework for the regulation of AI systems in the context of the use of lethal force and other AI systems in the context of military and defence activities. As regards national security purposes, the exclusion is justified both by the fact that national security remains the sole responsibility of Member States in accordance with Article 4(2) TEU and by the specific nature and operational needs of national security activities and specific national rules applicable to those activities. Nonetheless, if an AI system developed, placed on the market, put into service or used for military, defence or national security purposes is used outside those temporarily or permanently for other purposes (for example, civilian or humanitarian purposes, law enforcement or public security purposes), such a system would fall within the scope of this Regulation. In that case, the entity using the system for other than military, defence or national security purposes should ensure compliance of the system with this Regulation, unless the system is already compliant with this Regulation. AI systems placed on the market or put into service for an excluded (i.e. military, defence or national security) and one or more non excluded purposes (e.g. civilian purposes, law enforcement, etc.), fall within the scope of this Regulation and providers of those systems should ensure compliance with this Regulation. In those cases, the fact that an AI system may fall within the scope of this Regulation should not affect the possibility of entities carrying out national security, defence and military activities, regardless of the type of entity carrying out those activities, to use AI systems for national security, military and defence purposes, the use of which is excluded from the scope of this Regulation. An AI system placed on the market for civilian or law enforcement purposes which is used with or without modification for military, defence or national security purposes should not fall within the scope of this Regulation, regardless of the type of entity carrying out those activities.AI systems that are placed on the market, put into service, or used with or without modification for military, defence or national security purposes should be excluded from the scope of this Regulation, regardless of the type of entity carrying out these activities, whether public or private. This exclusion is justified by Article 4(2) TEU, the specificities of the Member States’ and the common Union defence policy, and the fact that national security remains the sole responsibility of Member States. However, if an AI system developed for military, defence or national security purposes is used temporarily or permanently for other purposes, such as civilian or humanitarian purposes, law enforcement or public security, it would fall within the scope of this Regulation. In such cases, the entity using the system for other purposes should ensure compliance with this Regulation, unless the system is already compliant. AI systems placed on the market or put into service for both excluded and non-excluded purposes fall within the scope of this Regulation, and providers should ensure compliance. The fact that an AI system may fall within the scope of this Regulation should not affect the possibility of entities carrying out national security, defence and military activities to use AI systems for these purposes, which are excluded from the scope of this Regulation. An AI system placed on the market for civilian or law enforcement purposes which is used for military, defence or national security purposes should not fall within the scope of this Regulation, regardless of the type of entity carrying out those activities.
Recital (12a) (new) [C](12a) This Regulation should be without prejudice to the provisions regarding the liability of intermediary service providers set out in Directive 2000/31/EC of the European Parliament and of the Council [as amended by the Digital Services Act].This Regulation should be without prejudice to the provisions regarding the liability of intermediary service providers set out in Directive 2000/31/EC of the European Parliament and of the Council, as amended by the Digital Services Act.
Recital (12a) [P] / (12b) [C] (new)(12a)  Software and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. Research by the Commission also shows that free and open-source software can contribute between EUR 65 billion to EUR 95 billion to the European Union’s GDP and that it can provide significant growth opportunities for the European economy. Users are allowed to run, copy, distribute, study, change and improve software and data, including models by way of free and open-source licences. To foster the development and deployment of AI, especially by SMEs, start-ups, academic research but also by individuals, this Regulation should not apply to such free and open-source AI components except to the extent that they are placed on the market or put into service by a provider as part of a high-risk AI system or of an AI system that falls under Title II or IV of this Regulation.(12b) This Regulation should not undermine research and development activity and should respect freedom of science. It is therefore necessary to exclude from its scope AI systems specifically developed and put into service for the sole purpose of scientific research and development and to ensure that the Regulation does not otherwise affect scientific research and development activity on AI systems. As regards product oriented research activity by providers, the provisions of this Regulation should also not apply. This is without prejudice to the obligation to comply with this Regulation when an AI system falling into the scope of this Regulation is placed on the market or put into service as a result of such research and development activity and to the application of provisions on regulatory sandboxes and testing in real world conditions. Furthermore, without prejudice to the foregoing regarding AI systems specifically developed and put into service for the sole purpose of scientific research and development, any other AI system that may be used for the conduct of any reaserch and development activity should remain subject to the provisions of this Regulation. Under all circumstances, any research and development activity should be carried out in accordance with recognised ethical and professional standards for scientific research.(12c) Openly shared software and data, where users can freely access, use, modify, and redistribute them or their modified versions, can contribute significantly to research, innovation, and the European Union’s GDP. This Regulation should not apply to such free and open-source AI components, especially those developed and deployed by SMEs, start-ups, academic research, and individuals, unless they are part of a high-risk AI system or an AI system that falls under Title II or IV of this Regulation when placed on the market or put into service by a provider.

Furthermore, this Regulation should not undermine research and development activity and should respect the freedom of science. Therefore, AI systems specifically developed and put into service for the sole purpose of scientific research and development should be excluded from its scope. However, this is without prejudice to the obligation to comply with this Regulation when an AI system resulting from such research and development activity is placed on the market or put into service.

In addition, any other AI system that may be used for the conduct of any research and development activity should remain subject to the provisions of this Regulation. All research and development activities should be carried out in accordance with recognised ethical and professional standards for scientific research.
Recital (12b) (new) [P](12b)  Neither the collaborative development of free and open-source AI components nor making them available on open repositories should constitute a placing on the market or putting into service. A commercial activity, within the understanding of making available on the market, might however be characterised by charging a price, with the exception of transactions between micro enterprises, for a free and open-source AI component but also by charging a price for technical support services, by providing a software platform through which the provider monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.The collaborative development and availability of free and open-source AI components on open repositories should not be considered as placing on the market or putting into service. However, a commercial activity, which falls under the category of making available on the market, could be defined by charging a price for a free and open-source AI component, excluding transactions between micro enterprises. This could also include charging a price for technical support services, providing a software platform through which the provider monetises other services, or using personal data for purposes other than exclusively improving the security, compatibility or interoperability of the software.
Recital (12c) (new) [C](12c) In the light of the nature and complexity of the value chain for AI systems, it is essential to clarify the role of actors who may contribute to the development of AI systems, notably high-risk AI systems. In particular, it is necessary to clarify that general purpose AI systems are AI systems that are intended by the provider to perform generally applicable functions, such as image/speech recognition, and in a plurality of contexts. They may be used as high- risk AI systems by themselves or be components of other high risk AI systems. Therefore, due to their particular nature and in order to ensure a fair sharing of responsibilities along the AI value chain, such systems should be subject to proportionate and more specific requirements and obligations under this Regulation while ensuring a high level of protection of fundamental rights, health and safety. In addition, the providers of general purpose AI systems, irrespective of whether they may be used as high-risk AI systems as such by other providers or as components of high-risk AI systems, should cooperate, as appropriate, with the providers of the respective high-risk AI systems to enable their compliance with the relevant obligations under this Regulation and with the competent authorities established under this Regulation. In order to take into account the specific characteristics of general purpose AI systems and the fast evolving market and technological developments in the field, implementing powers should be conferred on the Commission to specify and adapt the application of the requirements established under this Regulation to general purpose AI systems and to specify the information to be shared by the providers of general purpose AI systems in order to enable the providers of the respective high-risk AI system to comply with their obligations under this Regulation.Given the complexity of the AI systems value chain, it is crucial to define the roles of actors involved in the development of AI systems, especially high-risk AI systems. It should be clarified that general purpose AI systems are those designed by the provider to perform universally applicable functions, such as image/speech recognition, in multiple contexts. These systems can be used as high-risk AI systems independently or as components of other high-risk AI systems. Due to their unique nature, these systems should be subject to specific and proportionate requirements and obligations under this Regulation, ensuring a high level of protection of fundamental rights, health, and safety. Providers of general purpose AI systems should cooperate with the providers of high-risk AI systems to ensure compliance with this Regulation, regardless of whether their systems are used as high-risk AI systems or as components of such systems. The Commission should be granted implementing powers to adapt the application of the requirements established under this Regulation to general purpose AI systems, considering their specific characteristics and the rapidly evolving market and technological developments. The Commission should also specify the information to be shared by the providers of general purpose AI systems to enable the providers of high-risk AI systems to comply with their obligations under this Regulation.
Recital (12c) (new) [P](12c)  The developers of free and open-source AI components should not be mandated under this Regulation to comply with requirements targeting the AI value chain and, in particular, not towards the provider that has used that free and open-source AI component. Developers of free and open-source AI components should however be encouraged to implement widely adopted documentation practices, such as model and data cards, as a way to accelerate information sharing along the AI value chain, allowing the promotion of trustworthy AI systems in the Union.Developers of free and open-source AI components should not be required to comply with regulations targeting the AI value chain, particularly not towards the provider that has used that free and open-source AI component. However, they should be encouraged to adopt widely accepted documentation practices, such as model and data cards, to facilitate information sharing along the AI value chain and promote trustworthy AI systems in the Union.
Recital (13)(13)  In order to ensure a consistent and high level of protection of public interests as regards health, safety and fundamental rights, common normative standards for all high-risk AI systems should be established. Those standards should be consistent with the Charter of fundamental rights of the European Union (the Charter) and should be non-discriminatory and in line with the Union’s international trade commitments.(13)  In order to ensure a consistent and high level of protection of public interests as regards health, safety and fundamental rights as well as democracy and rule of law and the environment, common normative standards for all high-risk AI systems should be established. Those standards should be consistent with the Charter, the European Green Deal, the Joint Declaration on Digital Rights of the Union and the Ethics Guidelines for Trustworthy Artificial Intelligence (AI) of the High-Level Expert Group on Artificial Intelligence, and should be non-discriminatory and in line with the Union’s international trade commitments.(13) In order to ensure a consistent and high level of protection of public interests as regards health, safety and fundamental rights, common normative standards for all high-risk AI systems should be established. Those standards should be consistent with the Charter of fundamental rights of the European Union (the Charter) and should be non-discriminatory and in line with the Union’s international trade commitments.(13) In order to ensure a consistent and high level of protection of public interests as regards health, safety, fundamental rights, as well as democracy, rule of law and the environment, common normative standards for all high-risk AI systems should be established. Those standards should be consistent with the Charter of fundamental rights of the European Union (the Charter), the European Green Deal, the Joint Declaration on Digital Rights of the Union and the Ethics Guidelines for Trustworthy Artificial Intelligence (AI) of the High-Level Expert Group on Artificial Intelligence, and should be non-discriminatory and in line with the Union’s international trade commitments.
Recital (14)(14)  In order to introduce a proportionate and effective set of binding rules for AI systems, a clearly defined risk-based approach should be followed. That approach should tailor the type and content of such rules to the intensity and scope of the risks that AI systems can generate. It is therefore necessary to prohibit certain artificial intelligence practices, to lay down requirements for high-risk AI systems and obligations for the relevant operators, and to lay down transparency obligations for certain AI systems.(14)  In order to introduce a proportionate and effective set of binding rules for AI systems, a clearly defined risk-based approach should be followed. That approach should tailor the type and content of such rules to the intensity and scope of the risks that AI systems can generate. It is therefore necessary to prohibit certain unacceptable artificial intelligence practices, to lay down requirements for high-risk AI systems and obligations for the relevant operators, and to lay down transparency obligations for certain AI systems(14) In order to introduce a proportionate and effective set of binding rules for AI systems, a clearly defined risk-based approach should be followed. That approach should tailor the type and content of such rules to the intensity and scope of the risks that AI systems can generate. It is therefore necessary to prohibit certain artificial intelligence practices, to lay down requirements for high-risk AI systems and obligations for the relevant operators, and to lay down transparency obligations for certain AI systems.(14) In order to introduce a proportionate and effective set of binding rules for AI systems, a clearly defined risk-based approach should be followed. That approach should tailor the type and content of such rules to the intensity and scope of the risks that AI systems can generate. It is therefore necessary to prohibit certain unacceptable artificial intelligence practices, to lay down requirements for high-risk AI systems and obligations for the relevant operators, and to lay down transparency obligations for certain AI systems.
Recital (15)(15)  Aside from the many beneficial uses of artificial intelligence, that technology can also be misused and provide novel and powerful tools for manipulative, exploitative and social control practices. Such practices are particularly harmful and should be prohibited because they contradict Union values of respect for human dignity, freedom, equality, democracy and the rule of law and Union fundamental rights, including the right to non-discrimination, data protection and privacy and the rights of the child.(15)  Aside from the many beneficial uses of artificial intelligence, that technology can also be misused and provide novel and powerful tools for manipulative, exploitative and social control practices. Such practices are particularly harmful and abusive and should be prohibited because they contradict Union values of respect for human dignity, freedom, equality, democracy and the rule of law and Union fundamental rights, including the right to non-discrimination, data protection and privacy and the rights of the child.(15) Aside from the many beneficial uses of artificial intelligence, that technology can also be misused and provide novel and powerful tools for manipulative, exploitative and social control practices. Such practices are particularly harmful and should be prohibited because they contradict Union values of respect for human dignity, freedom, equality, democracy and the rule of law and Union fundamental rights, including the right to non-discrimination, data protection and privacy and the rights of the child.(15) Aside from the many beneficial uses of artificial intelligence, that technology can also be misused and provide novel and powerful tools for manipulative, exploitative and social control practices. Such practices are particularly harmful and abusive and should be prohibited because they contradict Union values of respect for human dignity, freedom, equality, democracy and the rule of law and Union fundamental rights, including the right to non-discrimination, data protection and privacy and the rights of the child.
Recital (16)(16)  The placing on the market, putting into service or use of certain AI systems intended to distort human behaviour, whereby physical or psychological harms are likely to occur, should be forbidden. Such AI systems deploy subliminal components individuals cannot perceive or exploit vulnerabilities of children and people due to their age, physical or mental incapacities. They do so with the intention to materially distortthe behaviour of a person and in a manner that causes or is likely to cause harm to that or another person. The intention may not be presumed if the distortion of human behaviour results from factors external to the AI system which are outside of the control of the provider or the user. Research for legitimate purposes in relation to such AI systems should not be stifled by the prohibition, if such research does not amount to use of the AI system in human-machine relations that exposes natural persons to harm and such research is carried out in accordance with recognised ethical standards for scientific research.(16)  The placing on the market, putting into service or use of certain AI systems with the objective to or the effect of materially distorting human behaviour, whereby physical or psychological harms are likely to occur, should be forbidden. This limitation should be understood to include neuro-technologies assisted by AI systems that are used to monitor, use, or influence neural data gathered through brain-computer interfaces insofar as they are materially distorting the behaviour of a natural person in a manner that causes or is likely to cause that person or another person significant harm. Such AI systems deploy subliminal components individuals cannot perceive or exploit vulnerabilities of individualsand specific groups of persons due to their known or predicted personality traits, age, physical or mental incapacities, social or economic situation. They do so with the intention to or the effect of materially distorting the behaviour of a person and in a manner that causes or is likely to cause significant harm to that or another person or groups of persons, including harms that may be accumulated over time. The intention to distort the behaviour may not be presumed if the distortion results from factors external to the AI system which are outside of the control of the provider or the user, such as factors that may not be reasonably foreseen and mitigated by the provider or the deployer of the AI system. In any case, it is not necessary for the provider or the deployer to have the intention to cause the significant harm, as long as such harm results from the manipulative or exploitative AI-enabled practices. The prohibitions for such AI practices is complementary to the provisions contained in Directive 2005/29/EC, according to which unfair commercial practices are prohibited, irrespective of whether they carried out having recourse to AI systems or otherwise. In such setting, lawful commercial practices, for example in the field of advertising, that are in compliance with Union law should not in themselves be regarded as violating prohibition. Research for legitimate purposes in relation to such AI systems should not be stifled by the prohibition, if such research does not amount to use of the AI system in human-machine relations that exposes natural persons to harm and such research is carried out in accordance with recognised ethical standards for scientific research and on the basis of specific informed consent of the individuals that are exposed to them or, where applicable, of their legal guardian.(16) AI-enabled manipulative techniques can be used to persuade persons to engage in unwanted behaviours, or to deceive them by nudging them into decisions in a way that subverts and impairs their autonomy, decision-making and free choices. The placing on the market, putting into service or use of certain AI systems materially distorting human behaviour, whereby physical or psychological harms are likely to occur, are particularly dangerous and should therefore be forbidden. Such AI systems deploy subliminal components such as audio, image, video stimuli that persons cannot perceive as those stimuli are beyond human perception or other subliminal techniques that subvert or impair person’s autonomy, decision-making or free choices in ways that people are not consciously aware of, or even if aware not able to control or resist, for example in cases of machine-brain interfaces or virtual reality. In addition, AI systems may also otherwise exploit vulnerabilities of a specific group of persons due to their age, disability within the meaning of Directive (EU) 2019/882, or a specific social or economic situation that is likely to make those persons more vulnerable to exploitation such as persons living in extreme poverty, ethnic or religious minorities. Such AI systems can be placed on the market, put into service or used with the objective to or the effect of materially distorting the behaviour of a person and in a manner that causes or is reasonably likely to cause physical or phycological harm to that or another person or groups of persons, including harms that may be accumulated over time. The intention to distort the behaviour may not be presumed if the distortion results from factors external to the AI system which are outside of the control of the provider or the user, meaning factors that may not be reasonably foreseen and mitigated by the provider or the user of the AI system. In any case, it is not necessary for the provider or the user to have the intention to cause the physical or psychological harm, as long as such harm results from the manipulative or exploitative AI-enabled practices. The prohibitions for such AI practices are complementary to the provisions contained in Directive 2005/29/EC, notably that unfair commercial practices leading to economic or financial harms to consumers are prohibited under all circumstances, irrespective of whether they are put in place through AI systems or otherwise. The prohibitions of manipulative and exploitative practices in this Regulation should not affect lawful practices in the context of medical treatment such as psychological treatment of a mental disease or physical rehabilitation, when those practices are carried out in accordance with the applicable medical standards and legislation. In addition, common and legitimate commercial practices that are in compliance with the applicable law should not in themselves be regarded as constituting harmful manipulative AI practices. (16) The placing on the market, putting into service or use of certain AI systems intended to distort human behaviour, whereby physical or psychological harms are likely to occur, should be forbidden. Such AI systems deploy subliminal components individuals cannot perceive or exploit vulnerabilities of individuals and specific groups of persons due to their known or predicted personality traits, age, physical or mental incapacities, social or economic situation. They do so with the intention to or the effect of materially distorting the behaviour of a person and in a manner that causes or is likely to cause significant harm to that or another person or groups of persons, including harms that may be accumulated over time. The intention to distort the behaviour may not be presumed if the distortion results from factors external to the AI system which are outside of the control of the provider or the user, such as factors that may not be reasonably foreseen and mitigated by the provider or the deployer of the AI system. In any case, it is not necessary for the provider or the deployer to have the intention to cause the significant harm, as long as such harm results from the manipulative or exploitative AI-enabled practices. The prohibitions for such AI practices are complementary to the provisions contained in Directive 2005/29/EC, according to which unfair commercial practices are prohibited, irrespective of whether they carried out having recourse to AI systems or otherwise. In such setting, lawful commercial practices, for example in the field of advertising, that are in compliance with Union law should not in themselves be regarded as violating prohibition. Research for legitimate purposes in relation to such AI systems should not be stifled by the prohibition, if such research does not amount to use of the AI system in human-machine relations that exposes natural persons to harm and such research is carried out in accordance with recognised ethical standards for scientific research and on the basis of specific informed consent of the individuals that are exposed to them or, where applicable, of their legal guardian. The prohibitions of manipulative and exploitative practices in this Regulation should not affect lawful practices in the context of medical treatment such as psychological treatment of a mental disease or physical rehabilitation, when those practices are carried out in accordance with the applicable medical standards and legislation.
Recital (16a) (new)(16a)  AI systems that categorise natural persons by assigning them to specific categories, according to known or inferred sensitive or protected characteristics are particularly intrusive, violate human dignity and hold great risk of discrimination. Such characteristics include gender, gender identity, race, ethnic origin, migration or citizenship status, political orientation, sexual orientation, religion, disability or any other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights of the European Union, as well as under Article 9 of Regulation (EU)2016/769. Such systems should therefore be prohibited.AI systems that categorize natural persons by assigning them to specific categories, based on known or inferred sensitive or protected characteristics, are considered highly intrusive, infringe upon human dignity, and carry a significant risk of discrimination. These characteristics include gender, gender identity, race, ethnic origin, migration or citizenship status, political orientation, sexual orientation, religion, disability, or any other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights of the European Union, as well as under Article 9 of Regulation (EU)2016/769. Therefore, the use of such systems should be prohibited.
Recital (17)(17)  AI systems providing social scoring of natural persons for general purpose by public authorities or on their behalf may lead to discriminatory outcomes and the exclusion of certain groups. They may violate the right to dignity and non-discrimination and the values of equality and justice. Such AI systems evaluate or classify the trustworthiness of natural persons based on their social behaviour in multiple contexts or known or predicted personal or personality characteristics. The social score obtained from such AI systems may lead to the detrimental or unfavourable treatment of natural persons or whole groups thereof in social contexts, which are unrelated to the context in which the data was originally generated or collected or to a detrimental treatment that is disproportionate or unjustified to the gravity of their social behaviour. Such AI systems should be therefore prohibited.(17)  AI systems providing social scoring of natural persons for general purpose may lead to discriminatory outcomes and the exclusion of certain groups. They violate the right to dignity and non-discrimination and the values of equality and justice. Such AI systems evaluate or classify natural persons or groups based on multiple data points and time occurrences related to their social behaviour in multiple contexts or known, inferred or predicted personal or personality characteristics. The social score obtained from such AI systems may lead to the detrimental or unfavourable treatment of natural persons or whole groups thereof in social contexts, which are unrelated to the context in which the data was originally generated or collected or to a detrimental treatment that is disproportionate or unjustified to the gravity of their social behaviour. Such AI systems should be therefore prohibited.(17) AI systems providing social scoring of natural persons by public authorities or by private actors may lead to discriminatory outcomes and the exclusion of certain groups. They may violate the right to dignity and non-discrimination and the values of equality and justice. Such AI systems evaluate or classify natural persons based on their social behaviour in multiple contexts or known or predicted personal or personality characteristics. The social score obtained from such AI systems may lead to the detrimental or unfavourable treatment of natural persons or whole groups thereof in social contexts, which are unrelated to the context in which the data was originally generated or collected or to a detrimental treatment that is disproportionate or unjustified to the gravity of their social behaviour. AI systems entailing such unacceptable scoring practices should be therefore prohibited. This prohibition should not affect lawful evaluation practices of natural persons done for one or more specific purpose in compliance with the law.(17) AI systems providing social scoring of natural persons for general purpose by public authorities, on their behalf, or by private actors may lead to discriminatory outcomes and the exclusion of certain groups. They may violate the right to dignity and non-discrimination and the values of equality and justice. Such AI systems evaluate or classify natural persons or groups based on their social behaviour in multiple contexts or known, inferred, or predicted personal or personality characteristics, using multiple data points and time occurrences. The social score obtained from such AI systems may lead to the detrimental or unfavourable treatment of natural persons or whole groups thereof in social contexts, which are unrelated to the context in which the data was originally generated or collected or to a detrimental treatment that is disproportionate or unjustified to the gravity of their social behaviour. AI systems entailing such unacceptable scoring practices should be therefore prohibited. This prohibition should not affect lawful evaluation practices of natural persons done for one or more specific purpose in compliance with the law.
Recital (18)(18)  The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement is considered particularly intrusive in the rights and freedoms of the concerned persons, to the extent that it may affect the private life of a large part of the population, evoke a feeling of constant surveillance and indirectly dissuade the exercise of the freedom of assembly and other fundamental rights. In addition, the immediacy of the impact and the limited opportunities for further checks or corrections in relation to the use of such systems operating in ‘real-time’ carry heightened risks for the rights and freedoms of the persons that are concerned by law enforcement activities.(18)  The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces is particularly intrusive to the rights and freedoms of the concerned persons, and can ultimately affect the private life of a large part of the population, evoke a feeling of constant surveillance, give parties deploying biometric identification in publicly accessible spaces a position of uncontrollable power and indirectly dissuade the exercise of the freedom of assembly and other fundamental rights at the core to the Rule of Law. Technical inaccuracies of AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects. This is particularly relevant when it comes to age, ethnicity, sex or disabilities. In addition, the immediacy of the impact and the limited opportunities for further checks or corrections in relation to the use of such systems operating in ‘real-time’ carry heightened risks for the rights and freedoms of the persons that are concerned by law enforcement activities. The use of those systems in publicly accessible places should therefore be prohibited. Similarly, AI systems used for the analysis of recorded footage of publicly accessible spaces through ‘post’ remote biometric identification systems should also be prohibited, unless there is pre-judicial authorisation for use in the context of law enforcement, when strictly necessary for the targeted search connected to a specific serious criminal offense that already took place, and only subject to a pre-judicial authorisation.(18) The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement is considered particularly intrusive in the rights and freedoms of the concerned persons, to the extent that it may affect the private life of a large part of the population, evoke a feeling of constant surveillance and indirectly dissuade the exercise of the freedom of assembly and other fundamental rights. In addition, the immediacy of the impact and the limited opportunities for further checks or corrections in relation to the use of such systems operating in ‘real-time’ carry heightened risks for the rights and freedoms of the persons that are concerned by law enforcement activities.(18) The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement is considered particularly intrusive to the rights and freedoms of the concerned persons, to the extent that it may affect the private life of a large part of the population, evoke a feeling of constant surveillance, give parties deploying biometric identification in publicly accessible spaces a position of uncontrollable power and indirectly dissuade the exercise of the freedom of assembly and other fundamental rights at the core to the Rule of Law. Technical inaccuracies of AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects, particularly when it comes to age, ethnicity, sex or disabilities. In addition, the immediacy of the impact and the limited opportunities for further checks or corrections in relation to the use of such systems operating in ‘real-time’ carry heightened risks for the rights and freedoms of the persons that are concerned by law enforcement activities. The use of those systems in publicly accessible places should therefore be prohibited, unless there is pre-judicial authorisation for use in the context of law enforcement, when strictly necessary for the targeted search connected to a specific serious criminal offense that already took place, and only subject to a pre-judicial authorisation.
Recital (19)(19)  The use of those systems for the purpose of law enforcement should therefore be prohibited, except in three exhaustively listed and narrowly defined situations, where the use is strictly necessary to achieve a substantial public interest, the importance of which outweighs the risks. Those situations involve the search for potential victims of crime, including missing children; certain threats to the life or physical safety of natural persons or of a terrorist attack; and the detection, localisation, identification or prosecution of perpetrators or suspects of the criminal offences referred to in Council Framework Decision 2002/584/JHA38 if those criminal offences are punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least three years and as they are defined in the law of that Member State. Such threshold for the custodial sentence or detention order in accordance with national law contributes to ensure that the offence should be serious enough to potentially justify the use of ‘real-time’ remote biometric identification systems. Moreover, of the 32 criminal offences listed in the Council Framework Decision 2002/584/JHA, some are in practice likely to be more relevant than others, in that the recourse to ‘real-time’ remote biometric identification will foreseeably be necessary and proportionate to highly varying degrees for the practical pursuit of the detection, localisation, identification or prosecution of a perpetrator or suspect of the different criminal offences listed and having regard to the likely differences in the seriousness, probability and scale of the harm or possible negative consequences.



38 Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1).		deleted(19) The use of those systems for the purpose of law enforcement should therefore be prohibited, except in exhaustively listed and narrowly defined situations, where the use is strictly necessary to achieve a substantial public interest, the importance of which outweighs the risks. Those situations involve the search for potential victims of crime, including missing children; certain threats to the life or physical safety of natural persons or of a terrorist attack; and the detection, localisation, identification or prosecution of perpetrators or suspects of the criminal offences referred to in Council Framework Decision 2002/584/JHA9 if those criminal offences are punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least three years and as they are defined in the law of that Member State. Such threshold for the custodial sentence or detention order in accordance with national law contributes to ensure that the offence should be serious enough to potentially justify the use of ‘real-time’ remote biometric identification systems. Moreover, of the 32 criminal offences listed in the Council Framework Decision 2002/584/JHA9, some are in practice likely to be more relevant than others, in that the recourse to ‘real-time’ remote biometric identification will foreseeably be necessary and proportionate to highly varying degrees for the practical pursuit of the detection, localisation, identification or prosecution of a perpetrator or suspect of the different criminal offences listed and having regard to the likely differences in the seriousness, probability and scale of the harm or possible negative consequences. In addition, this Regulation should preserve the ability for law enforcement, border control, immigration or asylum authorities to carry out identity checks in the presence of the person that is concerned in accordance with the conditions set out in Union and national law for such checks. In particular, law enforcement, border control, immigration or asylum authorities should be able to use information systems, in accordance with Union or national law, to identify a person who, during an identity check, either refuses to be identified or is unable to state or prove his or her identity, without being required by this Regulation to obtain prior authorisation. This could be, for example, a person involved in a crime, being unwilling, or unable due to an accident or a medical condition, to disclose their identity to law enforcement authorities.

____
9. Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1).		(19) The use of those systems for the purpose of law enforcement should therefore be prohibited, except in exhaustively listed and narrowly defined situations, where the use is strictly necessary to achieve a substantial public interest, the importance of which outweighs the risks. Those situations involve the search for potential victims of crime, including missing children; certain threats to the life or physical safety of natural persons or of a terrorist attack; and the detection, localisation, identification or prosecution of perpetrators or suspects of the criminal offences referred to in Council Framework Decision 2002/584/JHA if those criminal offences are punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least three years and as they are defined in the law of that Member State. Such threshold for the custodial sentence or detention order in accordance with national law contributes to ensure that the offence should be serious enough to potentially justify the use of ‘real-time’ remote biometric identification systems. Moreover, of the 32 criminal offences listed in the Council Framework Decision 2002/584/JHA, some are in practice likely to be more relevant than others, in that the recourse to ‘real-time’ remote biometric identification will foreseeably be necessary and proportionate to highly varying degrees for the practical pursuit of the detection, localisation, identification or prosecution of a perpetrator or suspect of the different criminal offences listed and having regard to the likely differences in the seriousness, probability and scale of the harm or possible negative consequences.
Recital (20)(20)  In order to ensure that those systems are used in a responsible and proportionate manner, it is also important to establish that, in each of those three exhaustively listed and narrowly defined situations, certain elements should be taken into account, in particular as regards the nature of the situation giving rise to the request and the consequences of the use for the rights and freedoms of all persons concerned and the safeguards and conditions provided for with the use. In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement should be subject to appropriate limits in time and space, having regard in particular to the evidence or indications regarding the threats, the victims or perpetrator. The reference database of persons should be appropriate for each use case in each of the three situations mentioned above.deleted(20) In order to ensure that those systems are used in a responsible and proportionate manner, it is also important to establish that, in each of those exhaustively listed and narrowly defined situations, certain elements should be taken into account, in particular as regards the nature of the situation giving rise to the request and the consequences of the use for the rights and freedoms of all persons concerned and the safeguards and conditions provided for with the use. In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement should be subject to appropriate limits in time and space, having regard in particular to the evidence or indications regarding the threats, the victims or perpetrator. The reference database of persons should be appropriate for each use case in each of the situations mentioned above.(20) In order to ensure that those systems are used in a responsible and proportionate manner, it is also important to establish that, in each of those exhaustively listed and narrowly defined situations, certain elements should be taken into account, in particular as regards the nature of the situation giving rise to the request and the consequences of the use for the rights and freedoms of all persons concerned and the safeguards and conditions provided for with the use. In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement should be subject to appropriate limits in time and space, having regard in particular to the evidence or indications regarding the threats, the victims or perpetrator. The reference database of persons should be appropriate for each use case in each of the three situations mentioned above.
Recital (21)(21)  Each use of a ‘real-time’ remote biometric identification system in publicly accessible spaces for the purpose of law enforcement should be subject to an express and specific authorisation by a judicial authority or by an independent administrative authority of a Member State. Such authorisation should in principle be obtained prior to the use, except in duly justified situations of urgency, that is, situations where the need to use the systems in question is such as to make it effectively and objectively impossible to obtain an authorisation before commencing the use. In such situations of urgency, the use should be restricted to the absolute minimum necessary and be subject to appropriate safeguards and conditions, as determined in national law and specified in the context of each individual urgent use case by the law enforcement authority itself. In addition, the law enforcement authority should in such situations seek to obtain an authorisation as soon as possible, whilst providing the reasons for not having been able to request it earlier.deleted(21) Each use of a ‘real-time’ remote biometric identification system in publicly accessible spaces for the purpose of law enforcement should be subject to an express and specific authorisation by a judicial authority or by an independent administrative authority of a Member State. Such authorisation should in principle be obtained prior to the use of the system with a view to identify a person or persons. Exceptions to this rule should be allowed in duly justified situations of urgency, that is, situations where the need to use the systems in question is such as to make it effectively and objectively impossible to obtain an authorisation before commencing the use. In such situations of urgency, the use should be restricted to the absolute minimum necessary and be subject to appropriate safeguards and conditions, as determined in national law and specified in the context of each individual urgent use case by the law enforcement authority itself. In addition, the law enforcement authority should in such situations seek to obtain an authorisation as soon as possible, whilst providing the reasons for not having been able to request it earlier.(21) Each use of a ‘real-time’ remote biometric identification system in publicly accessible spaces for the purpose of law enforcement should be subject to an express and specific authorisation by a judicial authority or by an independent administrative authority of a Member State. Such authorisation should in principle be obtained prior to the use of the system with a view to identify a person or persons. Exceptions to this rule should be allowed in duly justified situations of urgency, that is, situations where the need to use the systems in question is such as to make it effectively and objectively impossible to obtain an authorisation before commencing the use. In such situations of urgency, the use should be restricted to the absolute minimum necessary and be subject to appropriate safeguards and conditions, as determined in national law and specified in the context of each individual urgent use case by the law enforcement authority itself. In addition, the law enforcement authority should in such situations seek to obtain an authorisation as soon as possible, whilst providing the reasons for not having been able to request it earlier.
Recital (22)(22)  Furthermore, it is appropriate to provide, within the exhaustive framework set by this Regulation that such use in the territory of a Member State in accordance with this Regulation should only be possible where and in as far as the Member State in question has decided to expressly provide for the possibility to authorise such use in its detailed rules of national law. Consequently, Member States remain free under this Regulation not to provide for such a possibility at all or to only provide for such a possibility in respect of some of the objectives capable of justifying authorised use identified in this Regulation.deleted(22) Furthermore, it is appropriate to provide, within the exhaustive framework set by this Regulation that such use in the territory of a Member State in accordance with this Regulation should only be possible where and in as far as the Member State in question has decided to expressly provide for the possibility to authorise such use in its detailed rules of national law. Consequently, Member States remain free under this Regulation not to provide for such a possibility at all or to only provide for such a possibility in respect of some of the objectives capable of justifying authorised use identified in this Regulation.(22) Furthermore, it is appropriate to provide, within the exhaustive framework set by this Regulation that such use in the territory of a Member State in accordance with this Regulation should only be possible where and in as far as the Member State in question has decided to expressly provide for the possibility to authorise such use in its detailed rules of national law. Consequently, Member States remain free under this Regulation not to provide for such a possibility at all or to only provide for such a possibility in respect of some of the objectives capable of justifying authorised use identified in this Regulation.
Recital (23)(23)  The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement necessarily involves the processing of biometric data. The rules of this Regulation that prohibit, subject to certain exceptions, such use, which are based on Article 16 TFEU, should apply as lex specialis in respect of the rules on the processing of biometric data contained in Article 10 of Directive (EU) 2016/680, thus regulating such use and the processing of biometric data involved in an exhaustive manner. Therefore, such use and processing should only be possible in as far as it is compatible with the framework set by this Regulation, without there being scope, outside that framework, for the competent authorities, where they act for purpose of law enforcement, to use such systems and process such data in connection thereto on the grounds listed in Article 10 of Directive (EU) 2016/680. In this context, this Regulation is not intended to provide the legal basis for the processing of personal data under Article 8 of Directive 2016/680. However, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for purposes other than law enforcement, including by competent authorities, should not be covered by the specific framework regarding such use for the purpose of law enforcement set by this Regulation. Such use for purposes other than law enforcement should therefore not be subject to the requirement of an authorisation under this Regulation and the applicable detailed rules of national law that may give effect to it.deleted(23) The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement necessarily involves the processing of biometric data. The rules of this Regulation that prohibit, subject to certain exceptions, such use, which are based on Article 16 TFEU, should apply as lex specialis in respect of the rules on the processing of biometric data contained in Article 10 of Directive (EU) 2016/680, thus regulating such use and the processing of biometric data involved in an exhaustive manner. Therefore, such use and processing should only be possible in as far as it is compatible with the framework set by this Regulation, without there being scope, outside that framework, for the competent authorities, where they act for purpose of law enforcement, to use such systems and process such data in connection thereto on the grounds listed in Article 10 of Directive (EU) 2016/680. In this context, this Regulation is not intended to provide the legal basis for the processing of personal data under Article 8 of Directive 2016/680. However, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for purposes other than law enforcement, including by competent authorities, should not be covered by the specific framework regarding such use for the purpose of law enforcement set by this Regulation. Such use for purposes other than law enforcement should therefore not be subject to the requirement of an authorisation under this Regulation and the applicable detailed rules of national law that may give effect to it.(23) The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement necessarily involves the processing of biometric data. The rules of this Regulation that prohibit, subject to certain exceptions, such use, which are based on Article 16 TFEU, should apply as lex specialis in respect of the rules on the processing of biometric data contained in Article 10 of Directive (EU) 2016/680, thus regulating such use and the processing of biometric data involved in an exhaustive manner. Therefore, such use and processing should only be possible in as far as it is compatible with the framework set by this Regulation, without there being scope, outside that framework, for the competent authorities, where they act for purpose of law enforcement, to use such systems and process such data in connection thereto on the grounds listed in Article 10 of Directive (EU) 2016/680. In this context, this Regulation is not intended to provide the legal basis for the processing of personal data under Article 8 of Directive 2016/680. However, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for purposes other than law enforcement, including by competent authorities, should not be covered by the specific framework regarding such use for the purpose of law enforcement set by this Regulation. Such use for purposes other than law enforcement should therefore not be subject to the requirement of an authorisation under this Regulation and the applicable detailed rules of national law that may give effect to it.
Recital (24)(24)  Any processing of biometric data and other personal data involved in the use of AI systems for biometric identification, other than in connection to the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement as regulated by this Regulation, including where those systems are used by competent authorities in publicly accessible spaces for other purposes than law enforcement, should continue to comply with all requirements resulting from Article 9(1) of Regulation (EU) 2016/679, Article 10(1) of Regulation (EU) 2018/1725 and Article 10 of Directive (EU) 2016/680, as applicable.(24)  Any processing of biometric data and other personal data involved in the use of AI systems for biometric identification, other than in connection to the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces as regulated by this Regulation should continue to comply with all requirements resulting from Article 9(1) of Regulation (EU) 2016/679, Article 10(1) of Regulation (EU) 2018/1725 and Article 10 of Directive (EU) 2016/680, as applicable.(24) Any processing of biometric data and other personal data involved in the use of AI systems for biometric identification, other than in connection to the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement as regulated by this Regulation, should continue to comply with all requirements resulting from Article 10 of Directive (EU) 2016/680. For purposes other than law enforcement, Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725 prohibit the processing of biometric data for the purpose of uniquely identifying a natural person, unless one of the situations in the respective second paragraphs of those two articles applies.(24) Any processing of biometric data and other personal data involved in the use of AI systems for biometric identification, other than in connection to the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement as regulated by this Regulation, should continue to comply with all requirements resulting from Article 10 of Directive (EU) 2016/680. For purposes other than law enforcement, the processing should continue to comply with all requirements resulting from Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725. These regulations prohibit the processing of biometric data for the purpose of uniquely identifying a natural person, unless one of the situations in the respective second paragraphs of those two articles applies.
Recital (25)(25)  In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, as annexed to the TEU and to the TFEU, Ireland is not bound by the rules laid down in Article 5(1), point (d), (2) and (3) of this Regulation adopted on the basis of Article 16 of the TFEU which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16 of the TFEU.(25)  In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, as annexed to the TEU and to the TFEU, Ireland is not bound by the rules laid down in Article 5(1), point (d), of this Regulation adopted on the basis of Article 16 of the TFEU which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16 of the TFEU.(25) In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, as annexed to the TEU and to the TFEU, Ireland is not bound by the rules laid down in Article 5(1), point (d), (2), (3) and (4) of this Regulation adopted on the basis of Article 16 of the TFEU which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16 of the TFEU.(25) In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, as annexed to the TEU and to the TFEU, Ireland is not bound by the rules laid down in Article 5(1), point (d), (2), (3) and (4) of this Regulation adopted on the basis of Article 16 of the TFEU which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16 of the TFEU.
Recital (26)(26)  In accordance with Articles 2 and 2a of Protocol No 22 on the position of Denmark, annexed to the TEU and TFEU, Denmark is not bound by rules laid down in Article 5(1), point (d), (2) and (3) of this Regulation adopted on the basis of Article 16 of the TFEU, or subject to their application, which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU.(26)  In accordance with Articles 2 and 2a of Protocol No 22 on the position of Denmark, annexed to the TEU and TFEU, Denmark is not bound by rules laid down in Article 5(1), point (d) of this Regulation adopted on the basis of Article 16 of the TFEU, or subject to their application, which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU.(26) In accordance with Articles 2 and 2a of Protocol No 22 on the position of Denmark, annexed to the TEU and TFEU, Denmark is not bound by rules laid down in Article 5(1), point (d), (2), (3) and (4) of this Regulation adopted on the basis of Article 16 of the TFEU, or subject to their application, which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU.(26) In accordance with Articles 2 and 2a of Protocol No 22 on the position of Denmark, annexed to the TEU and TFEU, Denmark is not bound by rules laid down in Article 5(1), point (d), (2), (3) and (4) of this Regulation adopted on the basis of Article 16 of the TFEU, or subject to their application, which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU.
Recital (26a) (new)(26a)  AI systems used by law enforcement authorities or on their behalf to make predictions, profiles or risk assessments based on profiling of natural persons or data analysis based on personality traits and characteristics, including the person’s location, or past criminal behaviour of natural persons or groups of persons for the purpose of predicting the occurrence or reoccurrence of an actual or potential criminal offence(s) or other criminalised social behaviour or administrative offences, including fraud-predicition systems, hold a particular risk of discrimination against certain persons or groups of persons, as they violate human dignity as well as the key legal principle of presumption of innocence. Such AI systems should therefore be prohibited.AI systems utilized by law enforcement authorities, or on their behalf, for the purpose of making predictions, profiles, or risk assessments based on profiling of natural persons or data analysis based on personality traits and characteristics, including the person’s location, or past criminal behaviour of natural persons or groups of persons, with the aim of predicting the occurrence or reoccurrence of an actual or potential criminal offence(s) or other criminalised social behaviour or administrative offences, including fraud-prediction systems, should be prohibited. This is due to the particular risk they hold of discrimination against certain persons or groups of persons, as they violate human dignity as well as the key legal principle of presumption of innocence.
Recital (26b) (new)(26b)  The indiscriminate and untargeted scraping of biometric data from social media or CCTV footage to create or expand facial recognition databases add to the feeling of mass surveillance and can lead to gross violations of fundamental rights, including the right to privacy. The use of AI systems with this intended purpose should therefore be prohibited.The unregulated and indiscriminate collection of biometric data from sources such as social media or CCTV footage for the purpose of creating or expanding facial recognition databases contributes to a sense of mass surveillance and has the potential to result in severe infringements of fundamental rights, including the right to privacy. Therefore, the deployment of AI systems with this specific intention should be strictly prohibited.
Recital (26c) (new)(26c)  There are serious concerns about the scientific basis of AI systems aiming to detect emotions, physical or physiological features such as facial expressions, movements, pulse frequency or voice. Emotions or expressions of emotions and perceptions thereof vary considerably across cultures and situations, and even within a single individual. Among the key shortcomings of such technologies, are the limited reliability (emotion categories are neither reliably expressed through, nor unequivocally associated with, a common set of physical or physiological movements), the lack of specificity (physical or physiological expressions do not perfectly match emotion categories) and the limited generalisability (the effects of context and culture are not sufficiently considered). Reliability issues and consequently, major risks for abuse, may especially arise when deploying the system in real-life situations related to law enforcement, border management, workplace and education institutions. Therefore, the placing on the market, putting into service, or use of AI systems intended to be used in these contexts to detect the emotional state of individuals should be prohibited.There are significant concerns regarding the scientific foundation of AI systems designed to detect emotions, physical or physiological features such as facial expressions, movements, pulse frequency or voice. The expression of emotions and their perception can vary greatly across cultures, situations, and even within a single individual. Key limitations of these technologies include limited reliability, as emotion categories are not consistently expressed through or associated with a common set of physical or physiological movements. There is also a lack of specificity, as physical or physiological expressions do not perfectly align with emotion categories, and limited generalisability, as the effects of context and culture are not adequately considered. These reliability issues pose major risks for misuse, particularly when the system is deployed in real-life situations related to law enforcement, border management, workplaces, and educational institutions. Therefore, the marketing, servicing, or use of AI systems intended for use in these contexts to detect the emotional state of individuals should be prohibited.
Recital (26d) (new)(26d)  Practices that are prohibited by Union legislation, including data protection law, non-discrimination law, consumer protection law, and competition law, should not be affected by this RegulationThis Regulation should not affect practices that are prohibited by Union legislation, including data protection law, non-discrimination law, consumer protection law, and competition law.
Recital (27)(27)  High-risk AI systems should only be placed on the Union market or put into service if they comply with certain mandatory requirements. Those requirements should ensure that high-risk AI systems available in the Union or whose output is otherwise used in the Union do not pose unacceptable risks to important Union public interests as recognised and protected by Union law. AI systems identified as high-risk should be limited to those that have a significant harmful impact on the health, safety and fundamental rights of persons in the Union and such limitation minimises any potential restriction to international trade, if any.(27)  High-risk AI systems should only be placed on the Union market, put into service or used if they comply with certain mandatory requirements. Those requirements should ensure that high-risk AI systems available in the Union or whose output is otherwise used in the Union do not pose unacceptable risks to important Union public interests as recognised and protected by Union law, including fundamental rights, democracy, the rule or law or the environment. In order to ensure alignment with sectoral legislation and avoid duplications, requirements for high-risk AI systems should take into account sectoral legislation laying down requirements for high-risk AI systems included in the scope of this Regulation, such as Regulation (EU) 2017/745 on Medical Devices and Regulation (EU) 2017/746 on In Vitro Diagnostic Devices or Directive 2006/42/EC on Machinery. AI systems identified as high-risk should be limited to those that have a significant harmful impact on the health, safety and fundamental rights of persons in the Union and such limitation minimises any potential restriction to international trade, if any. Given the rapid pace of technological development, as well as the potential changes in the use of AI systems, the list of high-risk areas and use-cases in Annex III should nonetheless be subject to permanent review through the exercise of regular assessment.(27) High-risk AI systems should only be placed on the Union market or put into service if they comply with certain mandatory requirements. Those requirements should ensure that high- risk AI systems available in the Union or whose output is otherwise used in the Union do not pose unacceptable risks to important Union public interests as recognised and protected by Union law. AI systems identified as high-risk should be limited to those that have a significant harmful impact on the health, safety and fundamental rights of persons in the Union and such limitation minimises any potential restriction to international trade, if any.(27) High-risk AI systems should only be placed on the Union market, put into service or used if they comply with certain mandatory requirements. Those requirements should ensure that high-risk AI systems available in the Union or whose output is otherwise used in the Union do not pose unacceptable risks to important Union public interests as recognised and protected by Union law, including fundamental rights, democracy, the rule of law or the environment. AI systems identified as high-risk should be limited to those that have a significant harmful impact on the health, safety and fundamental rights of persons in the Union and such limitation minimises any potential restriction to international trade, if any. In order to ensure alignment with sectoral legislation and avoid duplications, requirements for high-risk AI systems should take into account sectoral legislation laying down requirements for high-risk AI systems included in the scope of this Regulation, such as Regulation (EU) 2017/745 on Medical Devices and Regulation (EU) 2017/746 on In Vitro Diagnostic Devices or Directive 2006/42/EC on Machinery. Given the rapid pace of technological development, as well as the potential changes in the use of AI systems, the list of high-risk areas and use-cases in Annex III should nonetheless be subject to permanent review through the exercise of regular assessment.
Recital (28)(28)  AI systems could produce adverse outcomes to health and safety of persons, in particular when such systems operate as components of products. Consistently with the objectives of Union harmonisation legislation to facilitate the free movement of products in the internal market and to ensure that only safe and otherwise compliant products find their way into the market, it is important that the safety risks that may be generated by a product as a whole due to its digital components, including AI systems, are duly prevented and mitigated. For instance, increasingly autonomous robots, whether in the context of manufacturing or personal assistance and care should be able to safely operate and performs their functions in complex environments. Similarly, in the health sector where the stakes for life and health are particularly high, increasingly sophisticated diagnostics systems and systems supporting human decisions should be reliable and accurate. The extent of the adverse impact caused by the AI system on the fundamental rights protected by the Charter is of particular relevance when classifying an AI system as high-risk. Those rights include the right to human dignity, respect for private and family life, protection of personal data, freedom of expression and information, freedom of assembly and of association, and non-discrimination, consumer protection, workers’ rights, rights of persons with disabilities, right to an effective remedy and to a fair trial, right of defence and the presumption of innocence, right to good administration. In addition to those rights, it is important to highlight that children have specific rights as enshrined in Article 24 of the EU Charter and in the United Nations Convention on the Rights of the Child (further elaborated in the UNCRC General Comment No. 25 as regards the digital environment), both of which require consideration of the children’s vulnerabilities and provision of such protection and care as necessary for their well-being. The fundamental right to a high level of environmental protection enshrined in the Charter and implemented in Union policies should also be considered when assessing the severity of the harm that an AI system can cause, including in relation to the health and safety of persons.(28)  AI systems could have an adverse impact to health and safety of persons, in particular when such systems operate as safety components of products. Consistently with the objectives of Union harmonisation legislation to facilitate the free movement of products in the internal market and to ensure that only safe and otherwise compliant products find their way into the market, it is important that the safety risks that may be generated by a product as a whole due to its digital components, including AI systems, are duly prevented and mitigated. For instance, increasingly autonomous robots, whether in the context of manufacturing or personal assistance and care should be able to safely operate and performs their functions in complex environments. Similarly, in the health sector where the stakes for life and health are particularly high, increasingly sophisticated diagnostics systems and systems supporting human decisions should be reliable and accurate.(28) AI systems could produce adverse outcomes to health and safety of persons, in particular when such systems operate as components of products. Consistently with the objectives of Union harmonisation legislation to facilitate the free movement of products in the internal market and to ensure that only safe and otherwise compliant products find their way into the market, it is important that the safety risks that may be generated by a product as a whole due to its digital components, including AI systems, are duly prevented and mitigated. For instance, increasingly autonomous robots, whether in the context of manufacturing or personal assistance and care should be able to safely operate and performs their functions in complex environments. Similarly, in the health sector where the stakes for life and health are particularly high, increasingly sophisticated diagnostics systems and systems supporting human decisions should be reliable and accurate. The extent of the adverse impact caused by the AI system on the fundamental rights protected by the Charter is of particular relevance when classifying an AI system as high-risk. Those rights include the right to human dignity, respect for private and family life, protection of personal data, freedom of expression and information, freedom of assembly and of association, and non-discrimination, consumer protection, workers’ rights, rights of persons with disabilities, right to an effective remedy and to a fair trial, right of defence and the presumption of innocence, right to good administration. In addition to those rights, it is important to highlight that children have specific rights as enshrined in Article 24 of the EU Charter and in the United Nations Convention on the Rights of the Child (further elaborated in the UNCRC General Comment No. 25 as regards the digital environment), both of which require consideration of the children’s vulnerabilities and provision of such protection and care as necessary for their well-being. The fundamental right to a high level of environmental protection enshrined in the Charter and implemented in Union policies should also be considered when assessing the severity of the harm that an AI system can cause, including in relation to the health and safety of persons.(28) AI systems could produce adverse outcomes to health and safety of persons, particularly when such systems operate as components or safety components of products. In line with the objectives of Union harmonisation legislation to facilitate the free movement of products in the internal market and to ensure that only safe and compliant products find their way into the market, it is crucial that the safety risks that may be generated by a product as a whole due to its digital components, including AI systems, are duly prevented and mitigated. For instance, increasingly autonomous robots, whether in the context of manufacturing or personal assistance and care, should be able to safely operate and perform their functions in complex environments. Similarly, in the health sector where the stakes for life and health are particularly high, increasingly sophisticated diagnostics systems and systems supporting human decisions should be reliable and accurate. The extent of the adverse impact caused by the AI system on the fundamental rights protected by the Charter is of particular relevance when classifying an AI system as high-risk. These rights include the right to human dignity, respect for private and family life, protection of personal data, freedom of expression and information, freedom of assembly and of association, and non-discrimination, consumer protection, workers’ rights, rights of persons with disabilities, right to an effective remedy and to a fair trial, right of defence and the presumption of innocence, right to good administration. In addition to these rights, it is important to highlight that children have specific rights as enshrined in Article 24 of the EU Charter and in the United Nations Convention on the Rights of the Child (further elaborated in the UNCRC General Comment No. 25 as regards the digital environment), both of which require consideration of the children’s vulnerabilities and provision of such protection and care as necessary for their well-being. The fundamental right to a high level of environmental protection enshrined in the Charter and implemented in Union policies should also be considered when assessing the severity of the harm that an AI system can cause, including in relation to the health and safety of persons.
Recital (28a)(28a)  The extent of the adverse impact caused by the AI system on the fundamental rights protected by the Charter is of particular relevance when classifying an AI system as high-risk. Those rights include the right to human dignity, respect for private and family life, protection of personal data, freedom of expression and information, freedom of assembly and of association, and non-discrimination, right to education consumer protection, workers’ rights, rights of persons with disabilities, gender equality, intellectual property rights, right to an effective remedy and to a fair trial, right of defence and the presumption of innocence, right to good administration. In addition to those rights, it is important to highlight that children have specific rights as enshrined in Article 24 of the EU Charter and in the United Nations Convention on the Rights of the Child (further elaborated in the UNCRC General Comment No. 25 as regards the digital environment), both of which require consideration of the children’s vulnerabilities and provision of such protection and care as necessary for their well-being. The fundamental right to a high level of environmental protection enshrined in the Charter and implemented in Union policies should also be considered when assessing the severity of the harm that an AI system can cause, including in relation to the health and safety of persons or to the environment.The classification of an AI system as high-risk should take into account the extent of its adverse impact on the fundamental rights protected by the Charter. These rights encompass the right to human dignity, respect for private and family life, protection of personal data, freedom of expression and information, freedom of assembly and of association, non-discrimination, right to education, consumer protection, workers’ rights, rights of persons with disabilities, gender equality, intellectual property rights, right to an effective remedy and to a fair trial, right of defence and the presumption of innocence, and right to good administration.

Furthermore, it is crucial to acknowledge the specific rights of children as outlined in Article 24 of the EU Charter and in the United Nations Convention on the Rights of the Child, including the provisions detailed in the UNCRC General Comment No. 25 regarding the digital environment. These provisions necessitate the consideration of children’s vulnerabilities and the provision of necessary protection and care for their well-being.

Lastly, the fundamental right to a high level of environmental protection, as enshrined in the Charter and implemented in Union policies, should also be taken into account when assessing the severity of the harm that an AI system can cause, particularly in relation to the health and safety of persons or to the environment.
Recital (29)(29)  As regards high-risk AI systems that are safety components of products or systems, or which are themselves products or systems falling within the scope of Regulation (EC) No 300/2008 of the European Parliament and of the Council39 , Regulation (EU) No 167/2013 of the European Parliament and of the Council40 , Regulation (EU) No 168/2013 of the European Parliament and of the Council41 , Directive 2014/90/EU of the European Parliament and of the Council42 , Directive (EU) 2016/797 of the European Parliament and of the Council43 , Regulation (EU) 2018/858 of the European Parliament and of the Council44 , Regulation (EU) 2018/1139 of the European Parliament and of the Council45 , and Regulation (EU) 2019/2144 of the European Parliament and of the Council46 , it is appropriate to amend those acts to ensure that the Commission takes into account, on the basis of the technical and regulatory specificities of each sector, and without interfering with existing governance, conformity assessment and enforcement mechanisms and authorities established therein, the mandatory requirements for high-risk AI systems laid down in this Regulation when adopting any relevant future delegated or implementing acts on the basis of those acts.

–––
39. Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).

40. Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1).

41. Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52).

42. Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146).

43. Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44).

44. Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1).

45. Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1).

46. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1).		(29)  As regards high-risk AI systems that are safety components of products or systems, or which are themselves products or systems falling within the scope of Regulation (EC) No 300/2008 of the European Parliament and of the Council39 , Regulation (EU) No 167/2013 of the European Parliament and of the Council40 , Regulation (EU) No 168/2013 of the European Parliament and of the Council41 , Directive 2014/90/EU of the European Parliament and of the Council42 , Directive (EU) 2016/797 of the European Parliament and of the Council43 , Regulation (EU) 2018/858 of the European Parliament and of the Council44 , Regulation (EU) 2018/1139 of the European Parliament and of the Council45 , and Regulation (EU) 2019/2144 of the European Parliament and of the Council46 , it is appropriate to amend those acts to ensure that the Commission takes into account, on the basis of the technical and regulatory specificities of each sector, and without interfering with existing governance, conformity assessment, market surveillanceand enforcement mechanisms and authorities established therein, the mandatory requirements for high-risk AI systems laid down in this Regulation when adopting any relevant future delegated or implementing acts on the basis of those acts.

–––
39. Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).

40. Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1).

41. Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52).

42. Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146).

43. Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44).

44. Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1).

45. Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1).

46. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1).		(29) As regards high-risk AI systems that are safety components of products or systems, or which are themselves products or systems falling within the scope of Regulation (EC) No 300/2008 of the European Parliament and of the Council10, Regulation (EU) No 167/2013 of the European Parliament and of the Council11, Regulation (EU) No 168/2013 of the European Parliament and of the Council12, Directive 2014/90/EU of the European Parliament and of the Council13, Directive (EU) 2016/797 of the European Parliament and of the Council14, Regulation (EU) 2018/858 of the European Parliament and of the Council15, Regulation (EU) 2018/1139 of the European Parliament and of the Council16, and Regulation (EU) 2019/2144 of the European Parliament and of the Council17, it is appropriate to amend those acts to ensure that the Commission takes into account, on the basis of the technical and regulatory specificities of each sector, and without interfering with existing governance, conformity assessment and enforcement mechanisms and authorities established therein, the mandatory requirements for high-risk AI systems laid down in this Regulation when adopting any relevant future delegated or implementing acts on the basis of those acts.


10. Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).

11. Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1).

12. Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52).

13. Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146).

14. Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44).

15. Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1).

16. Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1).

17. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type- approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1).		(29) As regards high-risk AI systems that are safety components of products or systems, or which are themselves products or systems falling within the scope of Regulation (EC) No 300/2008 of the European Parliament and of the Council39 , Regulation (EU) No 167/2013 of the European Parliament and of the Council40 , Regulation (EU) No 168/2013 of the European Parliament and of the Council41 , Directive 2014/90/EU of the European Parliament and of the Council42 , Directive (EU) 2016/797 of the European Parliament and of the Council43 , Regulation (EU) 2018/858 of the European Parliament and of the Council44 , Regulation (EU) 2018/1139 of the European Parliament and of the Council45 , and Regulation (EU) 2019/2144 of the European Parliament and of the Council46 , it is appropriate to amend those acts to ensure that the Commission takes into account, on the basis of the technical and regulatory specificities of each sector, and without interfering with existing governance, conformity assessment, market surveillance and enforcement mechanisms and authorities established therein, the mandatory requirements for high-risk AI systems laid down in this Regulation when adopting any relevant future delegated or implementing acts on the basis of those acts.
Recital (30)(30)  As regards AI systems that are safety components of products, or which are themselves products, falling within the scope of certain Union harmonisation legislation, it is appropriate to classify them as high-risk under this Regulation if the product in question undergoes the conformity assessment procedure with a third-party conformity assessment body pursuant to that relevant Union harmonisation legislation. In particular, such products are machinery, toys, lifts, equipment and protective systems intended for use in potentially explosive atmospheres, radio equipment, pressure equipment, recreational craft equipment, cableway installations, appliances burning gaseous fuels, medical devices, and in vitro diagnostic medical devices.(30)  As regards AI systems that are safety components of products, or which are themselves products, falling within the scope of certain Union harmonisation law listed in Annex II, it is appropriate to classify them as high-risk under this Regulation if the product in question undergoes the conformity assessment procedure in order to ensure compliance with essential safety requirements with a third-party conformity assessment body pursuant to that relevant Union harmonisation law. In particular, such products are machinery, toys, lifts, equipment and protective systems intended for use in potentially explosive atmospheres, radio equipment, pressure equipment, recreational craft equipment, cableway installations, appliances burning gaseous fuels, medical devices, and in vitro diagnostic medical devices.(30) As regards AI systems that are safety components of products, or which are themselves products, falling within the scope of certain Union harmonisation legislation, it is appropriate to classify them as high-risk under this Regulation if the product in question undergoes the conformity assessment procedure with a third-party conformity assessment body pursuant to that relevant Union harmonisation legislation. In particular, such products are machinery, toys, lifts, equipment and protective systems intended for use in potentially explosive atmospheres, radio equipment, pressure equipment, recreational craft equipment, cableway installations, appliances burning gaseous fuels, medical devices, and in vitro diagnostic medical devices.(30) As regards AI systems that are safety components of products, or which are themselves products, falling within the scope of certain Union harmonisation legislation listed in Annex II, it is appropriate to classify them as high-risk under this Regulation if the product in question undergoes the conformity assessment procedure in order to ensure compliance with essential safety requirements with a third-party conformity assessment body pursuant to that relevant Union harmonisation legislation. In particular, such products are machinery, toys, lifts, equipment and protective systems intended for use in potentially explosive atmospheres, radio equipment, pressure equipment, recreational craft equipment, cableway installations, appliances burning gaseous fuels, medical devices, and in vitro diagnostic medical devices.
Recital (31)(31)  The classification of an AI system as high-risk pursuant to this Regulation should not necessarilymean that the product whose safety component is the AI system, or the AI system itself as a product, is considered ‘high-risk’ under the criteria established in the relevant Union harmonisation legislation that applies to the product. This is notably the case for Regulation (EU) 2017/745 of the European Parliament and of the Council47 and Regulation (EU) 2017/746 of the European Parliament and of the Council48 , where a third-party conformity assessment is provided for medium-risk and high-risk products.


47. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).

48. Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).		31)  The classification of an AI system as high-risk pursuant to this Regulation should not mean that the product whose safety component is the AI system, or the AI system itself as a product, is considered ‘high-risk’ under the criteria established in the relevant Union harmonisation law that applies to the product. This is notably the case for Regulation (EU) 2017/745 of the European Parliament and of the Council47 and Regulation (EU) 2017/746 of the European Parliament and of the Council48 , where a third-party conformity assessment is provided for medium-risk and high-risk products.


47. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).

48. Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).		(31) The classification of an AI system as high-risk pursuant to this Regulation should not necessarily mean that the product whose safety component is the AI system, or the AI system itself as a product, is considered ‘high-risk’ under the criteria established in the relevant Union harmonisation legislation that applies to the product. This is notably the case for Regulation (EU) 2017/745 of the European Parliament and of the Council18 and Regulation (EU) 2017/746 of the European Parliament and of the Council19, where a third- party conformity assessment is provided for medium-risk and high-risk products.


18. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).

19. Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).		(31) The classification of an AI system as high-risk pursuant to this Regulation should not necessarily mean that the product whose safety component is the AI system, or the AI system itself as a product, is considered ‘high-risk’ under the criteria established in the relevant Union harmonisation legislation that applies to the product. This is notably the case for Regulation (EU) 2017/745 of the European Parliament and of the Council and Regulation (EU) 2017/746 of the European Parliament and of the Council, where a third-party conformity assessment is provided for medium-risk and high-risk products.


Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).

Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).
Recital (32)(32)  As regards stand-alone AI systems, meaning high-risk AI systems other than those that are safety components of products, or which are themselves products, it is appropriate to classify them as high-risk if, in the light of their intended purpose, they pose a high risk of harm to the health and safety or the fundamental rights of persons, taking into account both the severity of the possible harm and itsprobability of occurrence and they are used in a number of specifically pre-defined areas specified in the Regulation. The identification of those systems is based on the same methodology and criteria envisaged also for any future amendments of the list of high-risk AI systems.(32)  As regards stand-alone AI systems, meaning high-risk AI systems other than those that are safety components of products, or which are themselves products and that are listed in one of the areas and use cases in Annex III, it is appropriate to classify them as high-risk if, in the light of their intended purpose, they pose a significant risk of harm to the health and safety or the fundamental rights of persons and, where the AI system is used as a safety component of a critical infrastructure, to the environment . Such significant risk of harm should be identified by assessing on the one hand the effect of such risk with respect to its level of severity, intensity, probability of occurrence and duration combined altogether and on the other hand whether the risk can affect an individual, a plurality of persons or a particular group of persons. Such combination could for instance result in a high severity but low probability to affect a natural person, or a high probability to affect a group of persons with a low intensity over a long period of time, depending on the context. The identification of those systems is based on the same methodology and criteria envisaged also for any future amendments of the list of high-risk AI systems.(32) As regards high-risk AI systems other than those that are safety components of products, or which are themselves products, it is appropriate to classify them as high-risk if, in the light of their intended purpose, they pose a high risk of harm to the health and safety or the fundamental rights of persons, taking into account both the severity of the possible harm and its probability of occurrence, and they are used in a number of specifically pre-defined areas specified in the Regulation. The identification of those systems is based on the same methodology and criteria envisaged also for any future amendments of the list of high-risk AI systems. It is also important to clarify that within the high-risk scenarios referred to in Annex III there may be systems that do not lead to a significant risk to the legal interests protected under those scenarios, taking into account the output produced by the AI system. Therefore only when such output has a high degree of importance (i.e. is not purely accessory) in respect of the relevant action or decision so as to generate a significant risk to the legal interests protected, the AI system generating such output should be considered as high-risk. For instance, when the information provided by an AI systems to the human consists of the profiling of natural persons within the meaning of of Article 4(4) Regulation (EU) 2016/679 and Article 3(4) of Directive (EU) 2016/680 and Article 3(5) of Regulation (EU) 2018/1725, such information should not typically be considered of accessory nature in the context of high risk AI systems as referred to in Annex III. However, if the output of the AI system has only negligible or minor relevance for human action or decision, it may be considered purely accessory, including for example, AI systems used for translation for informative purposes or for the management of documents.(32) As regards stand-alone AI systems, meaning high-risk AI systems other than those that are safety components of products, or which are themselves products, and that are listed in one of the areas and use cases in Annex III, it is appropriate to classify them as high-risk if, in the light of their intended purpose, they pose a significant risk of harm to the health and safety or the fundamental rights of persons, and, where the AI system is used as a safety component of a critical infrastructure, to the environment. This significant risk of harm should be identified by assessing the severity, intensity, probability of occurrence and duration of such risk, and whether the risk can affect an individual, a plurality of persons or a particular group of persons.

However, within the high-risk scenarios referred to in Annex III, there may be systems that do not lead to a significant risk to the legal interests protected under those scenarios, taking into account the output produced by the AI system. Therefore, only when such output has a high degree of importance (i.e. is not purely accessory) in respect of the relevant action or decision so as to generate a significant risk to the legal interests protected, the AI system generating such output should be considered as high-risk. For instance, when the information provided by an AI systems to the human consists of the profiling of natural persons within the meaning of Article 4(4) Regulation (EU) 2016/679 and Article 3(4) of Directive (EU) 2016/680 and Article 3(5) of Regulation (EU) 2018/1725, such information should not typically be considered of accessory nature in the context of high risk AI systems as referred to in Annex III. However, if the output of the AI system has only negligible or minor relevance for human action or decision, it may be considered purely accessory, including for example, AI systems used for translation for informative purposes or for the management of documents.

The identification of those systems is based on the same methodology and criteria envisaged also for any future amendments of the list of high-risk AI systems.
Recital (32a) (new)(32a)  Providers whose AI systems fall under one of the areas and use cases listed in Annex III that consider their system does not pose a significant risk of harm to the health, safety, fundamental rights or the environment should inform the national supervisory authorities by submitting a reasoned notification. This could take the form of a one-page summary of the relevant information on the AI system in question, including its intended purpose and why it would not pose a significant risk of harm to the health, safety, fundamental rights or the environment. The Commission should specify criteria to enable companies to assess whether their system would pose such risks, as well as develop an easy to use and standardised template for the notification. Providers should submit the notification as early as possible and in any case prior to the placing of the AI system on the market or its putting into service, ideally at the development stage, and they should be free to place it on the market at any given time after the notification. However, if the authority estimates the AI system in question was misclassified, it should object to the notification within a period of three months. The objection should be substantiated and duly explain why the AI system has been misclassified. The provider should retain the right to appeal by providing further arguments. If after the three months there has been no objection to the notification, national supervisory authorities could still intervene if the AI system presents a risk at national level, as for any other AI system on the market. National supervisory authorities should submit annual reports to the AI Office detailing the notifications received and the decisions taken.Providers with AI systems that fall under the areas and use cases listed in Annex III, and who believe their system does not pose a significant risk to health, safety, fundamental rights, or the environment, should submit a reasoned notification to the national supervisory authorities. This notification could be a one-page summary detailing the AI system’s intended purpose and reasons why it does not pose a significant risk. The Commission is tasked with specifying criteria for risk assessment and developing a standardized notification template.

Providers should submit this notification as early as possible, ideally during the development stage, and certainly before the AI system is placed on the market or put into service. Providers are free to market their AI system at any time after the notification.

If the authority believes the AI system has been misclassified, it has the right to object to the notification within a three-month period. This objection must be substantiated with a clear explanation of why the AI system has been misclassified. Providers retain the right to appeal this objection by providing further arguments.

If no objection has been raised within the three-month period, national supervisory authorities still retain the right to intervene if the AI system presents a risk at the national level, as with any other AI system on the market.

Finally, national supervisory authorities are required to submit annual reports to the AI Office, detailing the notifications received and the decisions taken.
Recital (33)(33) Technical inaccuracies of AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects. This is particularly relevant when it comes to age, ethnicity, sex or disabilities. Therefore, ‘real-time’ and ‘post’ remote biometric identification systems should be classified as high-risk. In view of the risks that they pose, both types of remote biometric identification systems should be subject to specific requirements on logging capabilities and human oversight.deleted(33) Technical inaccuracies of AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects. This is particularly relevant when it comes to age, ethnicity, race, sex or disabilities. Therefore, ‘real-time’ and ‘post’ remote biometric identification systems should be classified as high- risk. In view of the risks that they pose, both types of remote biometric identification systems should be subject to specific requirements on logging capabilities and human oversight.(33) Technical inaccuracies of AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects. This is particularly relevant when it comes to age, ethnicity, race, sex or disabilities. Therefore, ‘real-time’ and ‘post’ remote biometric identification systems should be classified as high-risk. In view of the risks that they pose, both types of remote biometric identification systems should be subject to specific requirements on logging capabilities and human oversight.
Recital (33a) (new)(33a)  As biometric data constitute a special category of sensitive personal data in accordance with Regulation 2016/679, it is appropriate to classify as high-risk several critical use-cases of biometric and biometrics-based systems. AI systems intended to be used for biometric identification of natural persons and AI systems intended to be used to make inferences about personal characteristics of natural persons on the basis of biometric or biometrics-based data, including emotion recognition systems, with the exception of those which are prohibited under this Regulation should therefore be classified as high-risk. This should not include AI systems intended to be used for biometric verification, which includes authentication, whose sole purpose is to confirm that a specific natural person is the person he or she claims to be and to confirm the identity of a natural person for the sole purpose of having access to a service, a device or premises (one-to-one verification). Biometric and biometrics-based systems which are provided for under Union law to enable cybersecurity and personal data protection measures should not be considered as posing a significant risk of harm to the health, safety and fundamental rights. Given the sensitive nature of biometric data, it is appropriate to classify several critical use-cases of biometric and biometrics-based systems as high-risk. This includes AI systems intended for biometric identification of natural persons and those used to make inferences about personal characteristics based on biometric data, such as emotion recognition systems. However, this classification should exclude AI systems used for biometric verification, including authentication, whose sole purpose is to confirm a person’s identity for access to a service, device, or premises. Furthermore, biometric systems provided for under Union law for cybersecurity and personal data protection measures should not be considered as posing a significant risk to health, safety, and fundamental rights.
Recital (34)(34)  As regards the management and operation of critical infrastructure, it is appropriate to classify as high-risk the AI systems intended to be used as safety components in the management and operation of road traffic and the supply of water, gas, heating and electricity, since their failure or malfunctioning may put at risk the life and health of persons at large scale and lead to appreciable disruptions in the ordinary conduct of social and economic activities.(34)  As regards the management and operation of critical infrastructure, it is appropriate to classify as high-risk the AI systems intended to be used as safety components in the management and operation of the supply of water, gas, heating electricity and critical digital infrastructure, since their failure or malfunctioning may infringe the security and integrity of such critical infrastructure or put at risk the life and health of persons at large scale and lead to appreciable disruptions in the ordinary conduct of social and economic activities. Safety components of critical infrastructure, including critical digital infrastructure, are systems used to directly protect the physical integrity of critical infrastructure or health and safety of persons and property. Failure or malfunctioning of such components might directly lead to risks to the physical integrity of critical infrastructure and thus to risks to the health and safety of persons and property. Components intended to be used solely for cybersecurity purposes should not qualify as safety components. Examples of such safety components may include systems for monitoring water pressure or fire alarm controlling systems in cloud computing centres.(34) As regards the management and operation of critical infrastructure, it is appropriate to classify as high-risk the AI systems intended to be used as safety components in the management and operation of critical digital infrastructure as listed in Annex I point 8 of the Directive on the resilience of critical entities, road traffic and the supply of water, gas, heating and electricity, since their failure or malfunctioning may put at risk the life and health of persons at large scale and lead to appreciable disruptions in the ordinary conduct of social and economic activities. Safety components of critical infrastructure, including critical digital infrastrucure, are systems used to directly protect the physical integrity of critical infrastructure or health and safety of persons and property but which are not necessary in order for the system to function. Failure or malfunctioning of such components might directly lead to risks to the physical integrity of critical infrastructure and thus to risks to health and safety of persons and property. Components intended to be used solely for cybersecurity purposes should not qualify as safety components. Examples of safety components of such critical infrastructure may include systems for monitoring water pressure or fire alarm controlling systems in cloud computing centres. (34) As regards the management and operation of critical infrastructure, it is appropriate to classify as high-risk the AI systems intended to be used as safety components in the management and operation of road traffic, the supply of water, gas, heating, electricity, and critical digital infrastructure as listed in Annex I point 8 of the Directive on the resilience of critical entities. The failure or malfunctioning of these systems may infringe the security and integrity of such critical infrastructure, put at risk the life and health of persons at large scale, and lead to appreciable disruptions in the ordinary conduct of social and economic activities. Safety components of critical infrastructure, including critical digital infrastructure, are systems used to directly protect the physical integrity of critical infrastructure or health and safety of persons and property, but which are not necessary in order for the system to function. Failure or malfunctioning of such components might directly lead to risks to the physical integrity of critical infrastructure and thus to risks to the health and safety of persons and property. Components intended to be used solely for cybersecurity purposes should not qualify as safety components. Examples of safety components of such critical infrastructure may include systems for monitoring water pressure or fire alarm controlling systems in cloud computing centres.
Recital (35)(35)  AI systems used in education or vocational training, notably for determining access or assigning persons to educational and vocational training institutions or to evaluate persons on tests as part of or as a precondition for their education should be considered high-risk, since they may determine the educational and professional course of a person’s life and therefore affect their ability to secure their livelihood. When improperly designed and used, such systems may violate the right to education and training as well as the right not to be discriminated against and perpetuate historical patterns of discrimination.(35)  Deployment of AI systems in education is important in order to help modernise entire education systems, to increase educational quality, both offline and online and to accelerate digital education, thus also making it available to a broader audience . AI systems used in education or vocational training, notably for determining access or materially influence decisions on admission or assigning persons to educational and vocational training institutions or to evaluate persons on tests as part of or as a precondition for their education or to assess the appropriate level of education for an individual and materially influence the level of education and training that individuals will receive or be able to access or to monitor and detect prohibited behaviour of students during tests should be classified as high-risk AI systems, since they may determine the educational and professional course of a person’s life and therefore affect their ability to secure their livelihood. When improperly designed and used, such systems can be particularly intrusive and may violate the right to education and training as well as the right not to be discriminated against and perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation.(35) AI systems used in education or vocational training, notably for determining access, admission or assigning persons to educational and vocational training institutions or programmes at all levels or to evaluate learning outcomes of persons should be considered high-risk, since they may determine the educational and professional course of a person’s life and therefore affect their ability to secure their livelihood. When improperly designed and used, such systems may violate the right to education and training as well as the right not to be discriminated against and perpetuate historical patterns of discrimination.(35) AI systems used in education or vocational training, notably for determining access, admission or assigning persons to educational and vocational training institutions or programmes at all levels, to evaluate learning outcomes of persons, or to assess the appropriate level of education for an individual and materially influence the level of education and training that individuals will receive or be able to access, or to monitor and detect prohibited behaviour of students during tests should be considered high-risk. These systems are important in order to help modernise entire education systems, to increase educational quality, both offline and online and to accelerate digital education, thus also making it available to a broader audience. However, they may determine the educational and professional course of a person’s life and therefore affect their ability to secure their livelihood. When improperly designed and used, such systems can be particularly intrusive and may violate the right to education and training as well as the right not to be discriminated against and perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation.
Recital (36)(36)  AI systems used in employment, workers management and access to self-employment, notably for the recruitment and selection of persons, for making decisions on promotion and termination and for task allocation, monitoring or evaluation of persons in work-related contractual relationships, should also be classified as high-risk, since those systems may appreciably impact future career prospects and livelihoods of these persons. Relevant work-related contractual relationships should involve employees and persons providing services through platforms as referred to in the Commission Work Programme 2021. Such persons should in principle not be considered users within the meaning of this Regulation. Throughout the recruitment process and in the evaluation, promotion, or retention of persons in work-related contractual relationships, such systems may perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. AI systems used to monitor the performance and behaviour of these persons may also impact their rights to data protection and privacy.(36)  AI systems used in employment, workers management and access to self-employment, notably for the recruitment and selection of persons, for making decisions or materially influence decisions on initiation,promotion and termination and for personalised task allocation based on individual behaviour, personal traits or biometric data, monitoring or evaluation of persons in work-related contractual relationships, should also be classified as high-risk, since those systems may appreciably impact future career prospects, livelihoods of these persons and workers’ rights. Relevant work-related contractual relationships should meaningfully involve employees and persons providing services through platforms as referred to in the Commission Work Programme 2021. Throughout the recruitment process and in the evaluation, promotion, or retention of persons in work-related contractual relationships, such systems may perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. AI systems used to monitor the performance and behaviour of these persons may also undermine the essence of their fundamental rights to data protection and privacy. This Regulation applies without prejudice to Union and Member State competences to provide for more specific rules for the use of AI-systems in the employment context.(36) AI systems used in employment, workers management and access to self-employment, notably for the recruitment and selection of persons, for making decisions on promotion and termination and for task allocation based on individual behavior or personal traits or characteristics, monitoring or evaluation of persons in work-related contractual relationships, should also be classified as high-risk, since those systems may appreciably impact future career prospects and livelihoods of these persons. Relevant work-related contractual relationships should involve employees and persons providing services through platforms as referred to in the Commission Work Programme 2021. Such persons should in principle not be considered users within the meaning of this Regulation. Throughout the recruitment process and in the evaluation, promotion, or retention of persons in work-related contractual relationships, such systems may perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. AI systems used to monitor the performance and behaviour of these persons may also impact their rights to data protection and privacy.(36) AI systems used in employment, workers management and access to self-employment, notably for the recruitment and selection of persons, for making decisions or materially influence decisions on initiation, promotion and termination and for personalised task allocation based on individual behaviour, personal traits or biometric data, monitoring or evaluation of persons in work-related contractual relationships, should also be classified as high-risk, since those systems may appreciably impact future career prospects, livelihoods of these persons and workers’ rights. Relevant work-related contractual relationships should meaningfully involve employees and persons providing services through platforms as referred to in the Commission Work Programme 2021. Such persons should in principle not be considered users within the meaning of this Regulation. Throughout the recruitment process and in the evaluation, promotion, or retention of persons in work-related contractual relationships, such systems may perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. AI systems used to monitor the performance and behaviour of these persons may also undermine the essence of their fundamental rights to data protection and privacy. This Regulation applies without prejudice to Union and Member State competences to provide for more specific rules for the use of AI-systems in the employment context.
Recital (37)(37)  Another area in which the use of AI systems deserves special consideration is the access to and enjoyment of certain essential private and public services and benefits necessary for people to fully participate in society or to improve one’s standard of living. In particular, AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons’ access to financial resources or essential services such as housing, electricity, and telecommunication services. AI systems used for this purpose may lead to discrimination of persons or groups and perpetuate historical patterns of discrimination, for example based on racial or ethnic origins, disabilities, age, sexual orientation, or create new forms of discriminatory impacts. Considering the very limited scale of the impact and the available alternatives on the marketit is appropriate to exempt AI systems for the purpose of creditworthiness assessment and credit scoring when put into service by small-scale providers for their own use. Natural persons applying for or receiving public assistance benefits and services from public authorities are typically dependent on those benefits and services and in a vulnerable position in relation to the responsible authorities. If AI systems are used for determining whether such benefits and services should be denied, reduced, revoked or reclaimed by authorities, they may have a significant impact on persons’ livelihood and may infringe their fundamental rights, such as the right to social protection, non-discrimination, human dignity or an effective remedy. Those systems should therefore be classified as high-risk. Nonetheless, this Regulation should not hamper the development and use of innovative approaches in the public administration, which would stand to benefit from a wider use of compliant and safe AI systems, provided that those systems do not entail a high risk to legal and natural persons. Finally, AI systems used to dispatch or establish priority in the dispatching of emergency first response services should also be classified as high-risk since they make decisions in very critical situations for the life and health of persons and their property.(37)  Another area in which the use of AI systems deserves special consideration is the access to and enjoyment of certain essential private and public services, including healthcare services, and essential services, including but not limited to housing, electricity, heating/cooling and internet, and benefits necessary for people to fully participate in society or to improve one’s standard of living. In particular, AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons’ access to financial resources or essential services such as housing, electricity, and telecommunication services. AI systems used for this purpose may lead to discrimination of persons or groups and perpetuate historical patterns of discrimination, for example based on racial or ethnic origins, gender, disabilities, age, sexual orientation, or create new forms of discriminatory impacts. However, AI systems provided for by Union law for the purpose of detecting fraud in the offering of financial services should not be considered as high-risk under this Regulation. Natural persons applying for or receiving public assistance benefits and services from public authorities, including healthcare services and essential services, including but not limited to housing, electricity, heating/cooling and internet, are typically dependent on those benefits and services and in a vulnerable position in relation to the responsible authorities. If AI systems are used for determining whether such benefits and services should be denied, reduced, revoked or reclaimed by authorities, they may have a significant impact on persons’ livelihood and may infringe their fundamental rights, such as the right to social protection, non-discrimination, human dignity or an effective remedy. Similarly, AI systems intended to be used to make decisions or materially influence decisions on the eligibility of natural persons for health and life insurance may also have a significant impact on persons’ livelihood and may infringe their fundamental rights such as by limiting access to healthcare or by perpetuating discrimination based on personal characteristics. Those systems should therefore be classified as high-risk. Nonetheless, this Regulation should not hamper the development and use of innovative approaches in the public administration, which would stand to benefit from a wider use of compliant and safe AI systems, provided that those systems do not entail a high risk to legal and natural persons. Finally, AI systems used to evaluate and classify emergency calls by natural persons or to dispatch or establish priority in the dispatching of emergency first response services should also be classified as high-risk since they make decisions in very critical situations for the life and health of persons and their property.(37) Another area in which the use of AI systems deserves special consideration is the access to and enjoyment of certain essential private and public services and benefits necessary for people to fully participate in society or to improve one’s standard of living. In particular, AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons’ access to financial resources or essential services such as housing, electricity, and telecommunication services. AI systems used for this purpose may lead to discrimination of persons or groups and perpetuate historical patterns of discrimination, for example based on racial or ethnic origins, disabilities, age, sexual orientation, or create new forms of discriminatory impacts. Considering the very limited scale of the impact and the available alternatives on the market, it is appropriate to exempt AI systems for the purpose of creditworthiness assessment and credit scoring when put into service by micro or small entreprises, as defined in the Annex of Commission Recommendation 2003/361/EC for their own use. Natural persons applying for or receiving essential public assistance benefits and services from public authorities are typically dependent on those benefits and services and in a vulnerable position in relation to the responsible authorities. If AI systems are used for determining whether such benefits and services should be denied, reduced, revoked or reclaimed by authorities, including whether beneficiaries are legitimately entitled to such benefits or services, those systems may have a significant impact on persons’ livelihood and may infringe their fundamental rights, such as the right to social protection, non-discrimination, human dignity or an effective remedy. Those systems should therefore be classified as high-risk. Nonetheless, this Regulation should not hamper the development and use of innovative approaches in the public administration, which would stand to benefit from a wider use of compliant and safe AI systems, provided that those systems do not entail a high risk to legal and natural persons. Finally, AI systems used to dispatch or establish priority in the dispatching of emergency first response services should also be classified as high-risk since they make decisions in very critical situations for the life and health of persons and their property. AI systems are also increasingly used for risk assessment in relation to natural persons and pricing in the case of life and health insurance which, if not duly designed, developed and used, can lead to serious consequences for people’s life and health, including financial exclusion and discrimination. To ensure a consistent approach within the financial services sector, the above mentioned exception for micro or small enterprises for their own use should apply, insofar as they themselves provide and put into service an AI system for the purpose of selling their own insurance products.(37) Another area in which the use of AI systems deserves special consideration is the access to and enjoyment of certain essential private and public services and benefits, including healthcare services, necessary for people to fully participate in society or to improve one’s standard of living. In particular, AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons’ access to financial resources or essential services such as housing, electricity, and telecommunication services. AI systems used for this purpose may lead to discrimination of persons or groups and perpetuate historical patterns of discrimination, for example based on racial or ethnic origins, gender, disabilities, age, sexual orientation, or create new forms of discriminatory impacts. However, considering the very limited scale of the impact and the available alternatives on the market, it is appropriate to exempt AI systems for the purpose of creditworthiness assessment and credit scoring when put into service by small-scale providers, micro or small enterprises, as defined in the Annex of Commission Recommendation 2003/361/EC for their own use. AI systems provided for by Union law for the purpose of detecting fraud in the offering of financial services should not be considered as high-risk under this Regulation. Natural persons applying for or receiving public assistance benefits and services from public authorities, including healthcare services and essential services, are typically dependent on those benefits and services and in a vulnerable position in relation to the responsible authorities. If AI systems are used for determining whether such benefits and services should be denied, reduced, revoked or reclaimed by authorities, including whether beneficiaries are legitimately entitled to such benefits or services, they may have a significant impact on persons’ livelihood and may infringe their fundamental rights, such as the right to social protection, non-discrimination, human dignity or an effective remedy. Similarly, AI systems intended to be used to make decisions or materially influence decisions on the eligibility of natural persons for health and life insurance may also have a significant impact on persons’ livelihood and may infringe their fundamental rights such as by limiting access to healthcare or by perpetuating discrimination based on personal characteristics. Those systems should therefore be classified as high-risk. Nonetheless, this Regulation should not hamper the development and use of innovative approaches in the public administration, which would stand to benefit from a wider use of compliant and safe AI systems, provided that those systems do not entail a high risk to legal and natural persons. Finally, AI systems used to evaluate and classify emergency calls by natural persons or to dispatch or establish priority in the dispatching of emergency first response services should also be classified as high-risk since they make decisions in very critical situations for the life and health of persons and their property. AI systems are also increasingly used for risk assessment in relation to natural persons and pricing in the case of life and health insurance which, if not duly designed, developed and used, can lead to serious consequences for people’s life and health, including financial exclusion and discrimination. To ensure a consistent approach within the financial services sector, the above mentioned exception for micro or small enterprises for their own use should apply, insofar as they themselves provide and put into service an AI system for the purpose of selling their own insurance products.
Recital (37a) (new)(37a)  Given the role and responsibility of police and judicial authorities, and the impact of decisions they take for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, some specific use-cases of AI applications in law enforcement has to be classified as high-risk, in particular in instances where there is the potential to significantly affect the lives or the fundamental rights of individuals.Given the significant role and responsibility of police and judicial authorities, and considering the profound impact of their decisions in the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, it is necessary to classify certain use-cases of AI applications in law enforcement as high-risk. This is particularly crucial in instances where there is potential to significantly affect the lives or the fundamental rights of individuals.
Recital (38)(38)  Actions by law enforcement authorities involving certain uses of AI systems are characterised by a significant degree of power imbalance and may lead to surveillance, arrest or deprivation of a natural person’s liberty as well as other adverse impacts on fundamental rights guaranteed in the Charter. In particular, if the AI system is not trained with high quality data, does not meet adequate requirements in terms of its accuracy or robustness, or is not properly designed and tested before being put on the market or otherwise put into service, it may single out people in a discriminatory or otherwise incorrect or unjust manner. Furthermore, the exercise of important procedural fundamental rights, such as the right to an effective remedy and to a fair trial as well as the right of defence and the presumption of innocence, could be hampered, in particular, where such AI systems are not sufficiently transparent, explainable and documented. It is therefore appropriate to classify as high-risk a number of AI systems intended to be used in the law enforcement context where accuracy, reliability and transparency is particularly important to avoid adverse impacts, retain public trust and ensure accountability and effective redress. In view of the nature of the activities in question and the risks relating thereto, those high-risk AI systems should include in particular AI systems intended to be used by law enforcement authorities for individual risk assessments, polygraphs and similar tools or to detect the emotional state of natural person, to detect ‘deep fakes’, for the evaluation of the reliability of evidence in criminal proceedings, for predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons, or assessing personality traits and characteristics or past criminal behaviour of natural persons or groups, for profiling in the course of detection, investigation or prosecution of criminal offences, as well as for crime analytics regarding natural persons. AI systems specifically intended to be used for administrative proceedings by tax and customs authorities should not be considered high-risk AI systems used by law enforcement authorities for the purposes of prevention, detection, investigation and prosecution of criminal offences.(38)  Actions by law enforcement authorities involving certain uses of AI systems are characterised by a significant degree of power imbalance and may lead to surveillance, arrest or deprivation of a natural person’s liberty as well as other adverse impacts on fundamental rights guaranteed in the Charter. In particular, if the AI system is not trained with high quality data, does not meet adequate requirements in terms of its performance, its accuracy or robustness, or is not properly designed and tested before being put on the market or otherwise put into service, it may single out people in a discriminatory or otherwise incorrect or unjust manner. Furthermore, the exercise of important procedural fundamental rights, such as the right to an effective remedy and to a fair trial as well as the right of defence and the presumption of innocence, could be hampered, in particular, where such AI systems are not sufficiently transparent, explainable and documented. It is therefore appropriate to classify as high-risk a number of AI systems intended to be used in the law enforcement context where accuracy, reliability and transparency is particularly important to avoid adverse impacts, retain public trust and ensure accountability and effective redress. In view of the nature of the activities in question and the risks relating thereto, those high-risk AI systems should include in particular AI systems intended to be used by or on behalf of law enforcement authorities or by Union agenciesoffices or bodies in support of law enforcement authorities, as polygraphs and similar tools insofar as their use is permitted under relevant Union and national law, for the evaluation of the reliability of evidence in criminal proceedings, for profiling in the course of detection, investigation or prosecution of criminal offences, as well as for crime analytics regarding natural persons. AI systems specifically intended to be used for administrative proceedings by tax and customs authorities should not be classified ashigh-risk AI systems used by law enforcement authorities for the purposes of prevention, detection, investigation and prosecution of criminal offences. The use of AI tools by law enforcement and judicial authorities should not become a factor of inequality, social fracture or exclusion. The impact of the use of AI tools on the defence rights of suspects should not be ignored, notably the difficulty in obtaining meaningful information on their functioning and the consequent difficulty in challenging their results in court, in particular by individuals under investigation.(38) Actions by law enforcement authorities involving certain uses of AI systems are characterised by a significant degree of power imbalance and may lead to surveillance, arrest or deprivation of a natural person’s liberty as well as other adverse impacts on fundamental rights guaranteed in the Charter. In particular, if the AI system is not trained with high quality data, does not meet adequate requirements in terms of its accuracy or robustness, or is not properly designed and tested before being put on the market or otherwise put into service, it may single out people in a discriminatory or otherwise incorrect or unjust manner. Furthermore, the exercise of important procedural fundamental rights, such as the right to an effective remedy and to a fair trial as well as the right of defence and the presumption of innocence, could be hampered, in particular, where such AI systems are not sufficiently transparent, explainable and documented. It is therefore appropriate to classify as high-risk a number of AI systems intended to be used in the law enforcement context where accuracy, reliability and transparency is particularly important to avoid adverse impacts, retain public trust and ensure accountability and effective redress. In view of the nature of the activities in question and the risks relating thereto, those high-risk AI systems should include in particular AI systems intended to be used by law enforcement authorities for individual risk assessments, polygraphs and similar tools or to detect the emotional state of natural person, for the evaluation of the reliability of evidence in criminal proceedings, for predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons, or assessing personality traits and characteristics or past criminal behaviour of natural persons or groups, for profiling in the course of detection, investigation or prosecution of criminal offences. AI systems specifically intended to be used for administrative proceedings by tax and customs authorities as well as by financial intelligence units carrying out adminstrative tasks analysing information pursuant to Union anti-money laundering legislation should not be considered high-risk AI systems used by law enforcement authorities for the purposes of prevention, detection, investigation and prosecution of criminal offences.(38) Actions by law enforcement authorities involving certain uses of AI systems are characterised by a significant degree of power imbalance and may lead to surveillance, arrest or deprivation of a natural person’s liberty as well as other adverse impacts on fundamental rights guaranteed in the Charter. In particular, if the AI system is not trained with high quality data, does not meet adequate requirements in terms of its performance, its accuracy or robustness, or is not properly designed and tested before being put on the market or otherwise put into service, it may single out people in a discriminatory or otherwise incorrect or unjust manner. Furthermore, the exercise of important procedural fundamental rights, such as the right to an effective remedy and to a fair trial as well as the right of defence and the presumption of innocence, could be hampered, in particular, where such AI systems are not sufficiently transparent, explainable and documented. It is therefore appropriate to classify as high-risk a number of AI systems intended to be used in the law enforcement context where accuracy, reliability and transparency is particularly important to avoid adverse impacts, retain public trust and ensure accountability and effective redress. In view of the nature of the activities in question and the risks relating thereto, those high-risk AI systems should include in particular AI systems intended to be used by or on behalf of law enforcement authorities or by Union agencies, offices or bodies in support of law enforcement authorities, for individual risk assessments, polygraphs and similar tools insofar as their use is permitted under relevant Union and national law, to detect the emotional state of natural person, for the evaluation of the reliability of evidence in criminal proceedings, for predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons, or assessing personality traits and characteristics or past criminal behaviour of natural persons or groups, for profiling in the course of detection, investigation or prosecution of criminal offences, as well as for crime analytics regarding natural persons. AI systems specifically intended to be used for administrative proceedings by tax and customs authorities as well as by financial intelligence units carrying out administrative tasks analysing information pursuant to Union anti-money laundering legislation should not be classified as high-risk AI systems used by law enforcement authorities for the purposes of prevention, detection, investigation and prosecution of criminal offences. The use of AI tools by law enforcement and judicial authorities should not become a factor of inequality, social fracture or exclusion. The impact of the use of AI tools on the defence rights of suspects should not be ignored, notably the difficulty in obtaining meaningful information on their functioning and the consequent difficulty in challenging their results in court, in particular by individuals under investigation.
Recital (39)(39)  AI systems used in migration, asylum and border control management affect people who are often in particularly vulnerable position and who are dependent on the outcome of the actions of the competent public authorities. The accuracy, non-discriminatory nature and transparency of the AI systems used in those contexts are therefore particularly important to guarantee the respect of the fundamental rights of the affected persons, notably their rights to free movement, non-discrimination, protection of private life and personal data, international protection and good administration. It is therefore appropriate to classify as high-risk AI systems intended to be used by the competent public authorities charged with tasks in the fields of migration, asylum and border control management as polygraphs and similar tools or to detect the emotional state of a natural person; for assessing certain risks posed by natural persons entering the territory of a Member State or applying for visa or asylum; for verifying the authenticity of the relevant documents of natural persons; for assisting competent public authorities for the examination of applications for asylum, visa and residence permits and associated complaints with regard to the objective to establish the eligibility of the natural persons applying for a status. AI systems in the area of migration, asylum and border control management covered by this Regulation should comply with the relevant procedural requirements set by the Directive 2013/32/EU of the European Parliament and of the Council49 , the Regulation (EC) No 810/2009 of the European Parliament and of the Council50 and other relevant legislation.

–––––
49. Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60).

50. Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) (OJ L 243, 15.9.2009, p. 1).		(39)  AI systems used in migration, asylum and border control management affect people who are often in particularly vulnerable position and who are dependent on the outcome of the actions of the competent public authorities. The accuracy, non-discriminatory nature and transparency of the AI systems used in those contexts are therefore particularly important to guarantee the respect of the fundamental rights of the affected persons, notably their rights to free movement, non-discrimination, protection of private life and personal data, international protection and good administration. It is therefore appropriate to classify as high-risk AI systems intended to be used by or on behalf of competent public authorities or by Union agencies, offices or bodies charged with tasks in the fields of migration, asylum and border control management as polygraphs and similar tools insofar as their use is permitted under relevant Union and national law, for assessing certain risks posed by natural persons entering the territory of a Member State or applying for visa or asylum; for verifying the authenticity of the relevant documents of natural persons; for assisting competent public authorities for the examination and assessment of the veracity of evidence in relation to applications for asylum, visa and residence permits and associated complaints with regard to the objective to establish the eligibility of the natural persons applying for a status; for monitoring, surveilling or processing personal data in the context of border management activities, for the purpose of detecting, recognising or identifying natural persons; for the forecasting or prediction of trends related to migration movements and border crossings. AI systems in the area of migration, asylum and border control management covered by this Regulation should comply with the relevant procedural requirements set by the Directive 2013/32/EU of the European Parliament and of the Council49 , the Regulation (EC) No 810/2009 of the European Parliament and of the Council50 and other relevant legislation. The use of AI systems in migration, asylum and border control management should in no circumstances be used by Member States or Union institutions, agencies or bodies as a means to circumvent their international obligations under the Convention of 28 July 1951 relating to the Status of Refugees as amended by the Protocol of 31 January 1967, nor should they be used to in any way infringe on the principle of non-refoulement, or or deny safe and effective legal avenues into the territory of the Union, including the right to international protection.

–––––
49. Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60).

50. Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) (OJ L 243, 15.9.2009, p. 1).		(39) AI systems used in migration, asylum and border control management affect people who are often in particularly vulnerable position and who are dependent on the outcome of the actions of the competent public authorities. The accuracy, non-discriminatory nature and transparency of the AI systems used in those contexts are therefore particularly important to guarantee the respect of the fundamental rights of the affected persons, notably their rights to free movement, non-discrimination, protection of private life and personal data, international protection and good administration. It is therefore appropriate to classify as high-risk AI systems intended to be used by the competent public authorities charged with tasks in the fields of migration, asylum and border control management as polygraphs and similar tools or to detect the emotional state of a natural person; for assessing certain risks posed by natural persons entering the territory of a Member State or applying for visa or asylum; for assisting competent public authorities for the examination of applications for asylum, visa and residence permits and associated complaints with regard to the objective to establish the eligibility of the natural persons applying for a status. AI systems in the area of migration, asylum and border control management covered by this Regulation should comply with the relevant procedural requirements set by the Directive 2013/32/EU of the European Parliament and of the Council20, the Regulation (EC) No 810/2009 of the European Parliament and of the Council21 and other relevant legislation.


20. Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60).

21. Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) (OJ L 243, 15.9.2009, p. 1).		(39) AI systems used in migration, asylum and border control management affect people who are often in particularly vulnerable positions and who are dependent on the outcome of the actions of the competent public authorities or Union agencies, offices or bodies. The accuracy, non-discriminatory nature and transparency of the AI systems used in those contexts are therefore particularly important to guarantee the respect of the fundamental rights of the affected persons, notably their rights to free movement, non-discrimination, protection of private life and personal data, international protection and good administration. It is therefore appropriate to classify as high-risk AI systems intended to be used by or on behalf of competent public authorities charged with tasks in the fields of migration, asylum and border control management as polygraphs and similar tools, insofar as their use is permitted under relevant Union and national law, for assessing certain risks posed by natural persons entering the territory of a Member State or applying for visa or asylum; for verifying the authenticity of the relevant documents of natural persons; for assisting competent public authorities for the examination and assessment of the veracity of evidence in relation to applications for asylum, visa and residence permits and associated complaints with regard to the objective to establish the eligibility of the natural persons applying for a status. AI systems in the area of migration, asylum and border control management covered by this Regulation should comply with the relevant procedural requirements set by the Directive 2013/32/EU of the European Parliament and of the Council, the Regulation (EC) No 810/2009 of the European Parliament and of the Council and other relevant legislation. The use of AI systems in migration, asylum and border control management should in no circumstances be used by Member States or Union institutions, agencies or bodies as a means to circumvent their international obligations under the Convention of 28 July 1951 relating to the Status of Refugees as amended by the Protocol of 31 January 1967, nor should they be used to in any way infringe on the principle of non-refoulement, or deny safe and effective legal avenues into the territory of the Union, including the right to international protection.
Recital (40)(40)  Certain AI systems intended for the administration of justice and democratic processes should be classified as high-risk, considering their potentially significant impact on democracy, rule of law, individual freedoms as well as the right to an effective remedy and to a fair trial. In particular, to address the risks of potential biases, errors and opacity, it is appropriate to qualify as high-risk AI systems intended to assist judicial authorities in researching and interpreting facts and the law and in applying the law to a concrete set of facts. Such qualification should not extend, however, to AI systems intended for purely ancillary administrative activities that do not affect the actual administration of justice in individual cases, such as anonymisation or pseudonymisation of judicial decisions, documents or data, communication between personnel, administrative tasks or allocation of resources.(40)  Certain AI systems intended for the administration of justice and democratic processes should be classified as high-risk, considering their potentially significant impact on democracy, rule of law, individual freedoms as well as the right to an effective remedy and to a fair trial. In particular, to address the risks of potential biases, errors and opacity, it is appropriate to qualify as high-risk AI systems intended to be used by a judicial authority or administrative body or on their behalf to assist judicial authorities or administrative bodies in researching and interpreting facts and the law and in applying the law to a concrete set of facts or used in a similar way in alternative dispute resolution. The use of artificial intelligence tools can support, but should not replace the decision-making power of judges or judicial independence, as the final decision-making must remain a human-driven activity and decision. Such qualification should not extend, however, to AI systems intended for purely ancillary administrative activities that do not affect the actual administration of justice in individual cases, such as anonymisation or pseudonymisation of judicial decisions, documents or data, communication between personnel, administrative tasks or allocation of resources.(40) Certain AI systems intended for the administration of justice and democratic processes should be classified as high-risk, considering their potentially significant impact on democracy, rule of law, individual freedoms as well as the right to an effective remedy and to a fair trial. In particular, to address the risks of potential biases, errors and opacity, it is appropriate to qualify as high-risk AI systems intended to assist judicial authorities in interpreting facts and the law and in applying the law to a concrete set of facts. Such qualification should not extend, however, to AI systems intended for purely ancillary administrative activities that do not affect the actual administration of justice in individual cases, such as anonymisation or pseudonymisation of judicial decisions, documents or data, communication between personnel, administrative tasks.(40) Certain AI systems intended for the administration of justice and democratic processes should be classified as high-risk, considering their potentially significant impact on democracy, rule of law, individual freedoms as well as the right to an effective remedy and to a fair trial. In particular, to address the risks of potential biases, errors and opacity, it is appropriate to qualify as high-risk AI systems intended to be used by a judicial authority or administrative body or on their behalf to assist judicial authorities or administrative bodies in researching and interpreting facts and the law and in applying the law to a concrete set of facts or used in a similar way in alternative dispute resolution. The use of artificial intelligence tools can support, but should not replace the decision-making power of judges or judicial independence, as the final decision-making must remain a human-driven activity and decision. Such qualification should not extend, however, to AI systems intended for purely ancillary administrative activities that do not affect the actual administration of justice in individual cases, such as anonymisation or pseudonymisation of judicial decisions, documents or data, communication between personnel, administrative tasks or allocation of resources.
Recital (40a) (new)(40a)  In order to address the risks of undue external interference to the right to vote enshrined in Article 39 of the Charter, and of disproportionate effects on democratic processes, democracy, and the rule of law, AI systems intended to be used to influence the outcome of an election or referendum or the voting behaviour of natural persons in the exercise of their vote in elections or referenda should be classified as high-risk AI systems. with the exception of AI systems whose output natural persons are not directly exposed to, such as tools used to organise, optimise and structure political campaigns from an administrative and logistical point of view.In order to mitigate the risks of undue external interference with the right to vote, as protected by Article 39 of the Charter, and to prevent disproportionate impacts on democratic processes, democracy, and the rule of law, AI systems designed to influence the outcome of an election or referendum or the voting behaviour of individuals should be classified as high-risk AI systems. This does not include AI systems that individuals are not directly exposed to, such as those used for the administrative and logistical organization, optimization, and structuring of political campaigns.
Recital (40b) (new)(40b)  Considering the scale of natural persons using the services provided by social media platforms designated as very large online platforms, such online platforms can be used in a way that strongly influences safety online, the shaping of public opinion and discourse, election and democratic processes and societal concerns. It is therefore appropriate that AI systems used by those online platforms in their recommender systems are subject to this Regulation so as to ensure that the AI systems comply with the requirements laid down under this Regulation, including the technical requirements on data governance, technical documentation and traceability, transparency, human oversight, accuracy and robustness. Compliance with this Regulation should enable such very large online platforms to comply with their broader risk assessment and risk-mitigation obligations in Article 34 and 35 of Regulation EU 2022/2065. The obligations in this Regulation are without prejudice to Regulation (EU) 2022/2065 and should complement the obligations required under the Regulation (EU) 2022/2065 when the social media platform has been designated as a very large online platform. Given the European-wide impact of social media platforms designated as very large online platforms, the authorities designated under Regulation (EU) 2022/2065 should act as enforcement authorities for the purposes of enforcing this provision.Considering the significant influence of very large online platforms, particularly in terms of online safety, public opinion, democratic processes, and societal concerns, it is crucial that AI systems used in their recommender systems adhere to this Regulation. This includes compliance with technical requirements on data governance, technical documentation and traceability, transparency, human oversight, accuracy, and robustness. Adherence to this Regulation will enable these platforms to meet their broader risk assessment and risk-mitigation obligations as outlined in Articles 34 and 35 of Regulation EU 2022/2065. This Regulation does not prejudice Regulation (EU) 2022/2065 and should complement its obligations when the social media platform is designated as a very large online platform. Given the Europe-wide impact of these platforms, the authorities designated under Regulation (EU) 2022/2065 should act as enforcement authorities for the purposes of enforcing this provision.
Recital (41)(41)  The fact that an AI system is classified as high risk under this Regulation should not be interpreted as indicating that the use of the system is necessarily lawful under other acts of Union law or under national law compatible with Union law, such as on the protection of personal data, on the use of polygraphs and similar tools or other systems to detect the emotional state of natural persons. Any such use should continue to occur solely in accordance with the applicable requirements resulting from the Charter and from the applicable acts of secondary Union law and national law. This Regulation should not be understood as providing for the legal ground for processing of personal data, including special categories of personal data, where relevant.(41)  The fact that an AI system is classified as a high risk AI system under this Regulation should not be interpreted as indicating that the use of the system is necessarily lawful or unlawful under other acts of Union law or under national law compatible with Union law, such as on the protection of personal data, Any such use should continue to occur solely in accordance with the applicable requirements resulting from the Charter and from the applicable acts of secondary Union law and national law.(41) The fact that an AI system is classified as high risk under this Regulation should not be interpreted as indicating that the use of the system is lawful under other acts of Union law or under national law compatible with Union law, such as on the protection of personal data, on the use of polygraphs and similar tools or other systems to detect the emotional state of natural persons. Any such use should continue to occur solely in accordance with the applicable requirements resulting from the Charter and from the applicable acts of secondary Union law and national law. This Regulation should not be understood as providing for the legal ground for processing of personal data, including special categories of personal data, where relevant, unless it is specifically provided for otherwise in this Regulation.(41) The fact that an AI system is classified as high risk under this Regulation should not be interpreted as indicating that the use of the system is necessarily lawful or unlawful under other acts of Union law or under national law compatible with Union law, such as on the protection of personal data, on the use of polygraphs and similar tools or other systems to detect the emotional state of natural persons. Any such use should continue to occur solely in accordance with the applicable requirements resulting from the Charter and from the applicable acts of secondary Union law and national law. This Regulation should not be understood as providing for the legal ground for processing of personal data, including special categories of personal data, where relevant, unless it is specifically provided for otherwise in this Regulation.
Recital (41a) (new)(41a)  A number of legally binding rules at European, national and international level already apply or are relevant to AI systems today, including but not limited to EU primary law (the Treaties of the European Union and its Charter of Fundamental Rights), EU secondary law (such as the General Data Protection Regulation, the Product Liability Directive, the Regulation on the Free Flow of Non-Personal Data, anti-discrimination Directives, consumer law and Safety and Health at Work Directives), the UN Human Rights treaties and the Council of Europe conventions (such as the European Convention on Human Rights), and national law. Besides horizontally applicable rules, various domain-specific rules exist that apply to particular AI applications (such as for instance the Medical Device Regulation in the healthcare sector).A multitude of legally binding regulations at the European, national, and international levels are currently applicable or relevant to AI systems. These include, but are not limited to, EU primary law such as the Treaties of the European Union and its Charter of Fundamental Rights, and EU secondary law, which includes the General Data Protection Regulation, the Product Liability Directive, the Regulation on the Free Flow of Non-Personal Data, anti-discrimination Directives, consumer law, and Safety and Health at Work Directives. Additionally, the UN Human Rights treaties and the Council of Europe conventions, including the European Convention on Human Rights, and national law are also applicable. Beyond these universally applicable rules, there are also various domain-specific rules that apply to specific AI applications, such as the Medical Device Regulation in the healthcare sector.
Recital (42)(42)  To mitigate the risks from high-risk AI systems placed or otherwise put into service on the Union market for users and affected persons, certain mandatory requirements should apply, taking into account the intended purpose of the use of the system and according to the risk management system to be established by the provider.(42)  To mitigate the risks from high-risk AI systems placed or otherwise put into service on the Union market for deployers and affected persons, certain mandatory requirements should apply, taking into account the intended purpose, the reasonably foreseeable misuse of the system and according to the risk management system to be established by the provider. These requirements should be objective-driven, fit for purpose, reasonable and effective, without adding undue regulatory burdens or costs on operators.(42) To mitigate the risks from high-risk AI systems placed or otherwise put into service on the Union market, certain mandatory requirements should apply, taking into account the intended purpose of the use of the system and according to the risk management system to be established by the provider. In particular, the risk management system should consist of a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system. This process should ensure that the provider identifies and analyses the risks to the health, safety and fundamental rights of the persons who may be affected by the system in light of its intended purpose, including the possible risks arising from the interaction between the AI system and the environment within which it operates, and accordingly adopts suitable risk management measures in the light of state of the art.(42) To mitigate the risks from high-risk AI systems placed or otherwise put into service on the Union market for users, deployers, and affected persons, certain mandatory requirements should apply. These requirements should be objective-driven, fit for purpose, reasonable and effective, without adding undue regulatory burdens or costs on operators. The requirements should take into account the intended purpose, the reasonably foreseeable misuse of the system, and should be in accordance with the risk management system to be established by the provider. This risk management system should consist of a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system. The process should ensure that the provider identifies and analyses the risks to the health, safety, and fundamental rights of the persons who may be affected by the system in light of its intended purpose, including the possible risks arising from the interaction between the AI system and the environment within which it operates, and accordingly adopts suitable risk management measures in the light of state of the art.
Recital (43)(43)  Requirements should apply to high-risk AI systems as regards the quality of data sets used, technical documentation and record-keeping, transparency and the provision of information to users, human oversight, and robustness, accuracy and cybersecurity. Those requirements are necessary to effectively mitigate the risks for health, safety and fundamental rights, as applicable in the light of the intended purpose of the system, and no other less trade restrictive measures are reasonably available, thus avoiding unjustified restrictions to trade.(43)  Requirements should apply to high-risk AI systems as regards the quality and relevance of data sets used, technical documentation and record-keeping, transparency and the provision of information to deployers, human oversight, and robustness, accuracy and cybersecurity. Those requirements are necessary to effectively mitigate the risks for health, safety and fundamental rights, as well as the environment, democracy and rule of law, asapplicable in the light of the intended purpose or reasonably foreseeable misuse of the system, and no other less trade restrictive measures are reasonably available, thus avoiding unjustified restrictions to trade.(43) Requirements should apply to high-risk AI systems as regards the quality of data sets used, technical documentation and record-keeping, transparency and the provision of information to users, human oversight, and robustness, accuracy and cybersecurity. Those requirements are necessary to effectively mitigate the risks for health, safety and fundamental rights, as applicable in the light of the intended purpose of the system, and no other less trade restrictive measures are reasonably available, thus avoiding unjustified restrictions to trade.(43) Requirements should apply to high-risk AI systems as regards the quality and relevance of data sets used, technical documentation and record-keeping, transparency and the provision of information to users and deployers, human oversight, and robustness, accuracy and cybersecurity. Those requirements are necessary to effectively mitigate the risks for health, safety, fundamental rights, as well as the environment, democracy and rule of law, as applicable in the light of the intended purpose or reasonably foreseeable misuse of the system, and no other less trade restrictive measures are reasonably available, thus avoiding unjustified restrictions to trade.
Recital (44)(44)  High data quality is essential for the performance of many AI systems, especially when techniques involving the training of models are used, with a view to ensure that the high-risk AI system performs as intended and safely and it does not become the source of discrimination prohibited by Union law. High quality training, validation and testing data sets require the implementation of appropriate data governance and management practices. Training, validation and testing data sets should be sufficiently relevant, representative and free of errors and complete in view of the intended purpose of the system. They should also have the appropriate statistical properties, including as regards the persons or groups of persons on which the high-risk AI system is intended to be used. In particular, training, validation and testing data sets should take into account, to the extent required in the light of their intended purpose, the features, characteristics or elements that are particular to the specific geographical, behavioural or functional setting or context within which the AI system is intended to be used. In order to protect the right of others from the discrimination that might result from the bias in AI systems, the providers shouldbeable to process also special categories of personal data, as a matter of substantial public interest, in order to ensure the bias monitoring, detection and correction in relation to high-risk AI systems.(44)  Access to data of high quality plays a vital role in providing structure and in ensuring the performance of many AI systems, especially when techniques involving the training of models are used, with a view to ensure that the high-risk AI system performs as intended and safely and it does not become a source of discrimination prohibited by Union law. High quality training, validation and testing data sets require the implementation of appropriate data governance and management practices. Training, and where applicable, validation and testing data sets, including the labels, should be sufficiently relevant, representative, appropriately vetted for errors and as complete as possible in view of the intended purpose of the system. They should also have the appropriate statistical properties, including as regards the persons or groups of persons in relation to whom the high-risk AI system is intended to be used, with specific attention to the mitigation of possible biases in the datasets, that might lead to risks to fundamental rights or discriminatory outcomes for the persons affected by the high-risk AI system. Biases can for example be inherent in underlying datasets, especially when historical data is being used, introduced by the developers of the algorithms, or generated when the systems are implemented in real world settings. Results provided by AI systems are influenced by such inherent biases that are inclined to gradually increase and thereby perpetuate and amplify existing discrimination, in particular for persons belonging to certain vulnerable or ethnic groups, or racialised communities. In particular, training, validation and testing data sets should take into account, to the extent required in the light of their intended purpose, the features, characteristics or elements that are particular to the specific geographical, contextal, behavioural or functional setting or context within which the AI system is intended to be used. In order to protect the right of others from the discrimination that might result from the bias in AI systems, the providers should, exceptionally and following the application of all applicable conditions laid down under this Regulation and in Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725, be able to process also special categories of personal data, as a matter of substantial public interest, in order to ensure the negative bias detection and correction in relation to high-risk AI systems. Negative bias should be understood as bias that create direct or indirect discriminatory effect against a natural person The requirements related to data governance can be complied with by having recourse to third-parties that offer certified compliance services including verification of data governance, data set integrity, and data training, validation and testing practices.(44) High data quality is essential for the performance of many AI systems, especially when techniques involving the training of models are used, with a view to ensure that the high-risk AI system performs as intended and safely and it does not become the source of discrimination prohibited by Union law. High quality training, validation and testing data sets require the implementation of appropriate data governance and management practices. Training, validation and testing data sets should be sufficiently relevant, representative and have the appropriate statistical properties, including as regards the persons or groups of persons on which the high-risk AI system is intended to be used. These datasets should also be as free of errors and complete as possible in view of the intended purpose of the AI system, taking into account, in a proportionate manner, technical feasibility and state of the art, the availability of data and the implementation of appropriate risk management measures so that possible shortcomings of the datasets are duly addressed. The requirement for the datasets to be complete and free of errors should not affect the use of privacy-preserving techniques in the context of the the development and testing of AI systems. Training, validation and testing data sets should take into account, to the extent required by their intended purpose, the features, characteristics or elements that are particular to the specific geographical, behavioural or functional setting or context within which the AI system is intended to be used. In order to protect the right of others from the discrimination that might result from the bias in AI systems, the providers should be able to process also special categories of personal data, as a matter of substantial public interest within the meaning of Article 9(2)(g) of Regulation (EU) 2016/679 and Article 10(2)g) of Regulation (EU) 2018/1725, in order to ensure the bias monitoring, detection and correction in relation to high-risk AI systems.(44) High data quality is essential for the performance of many AI systems, especially when techniques involving the training of models are used, with a view to ensure that the high-risk AI system performs as intended and safely and it does not become the source of discrimination prohibited by Union law. Access to data of high quality plays a vital role in providing structure and ensuring the performance of these systems. High quality training, validation and testing data sets require the implementation of appropriate data governance and management practices. These practices can be complied with by having recourse to third-parties that offer certified compliance services including verification of data governance, data set integrity, and data training, validation and testing practices.

Training, validation and testing data sets should be sufficiently relevant, representative, and have the appropriate statistical properties, including as regards the persons or groups of persons on which the high-risk AI system is intended to be used. These datasets should also be as free of errors and complete as possible in view of the intended purpose of the AI system, taking into account, in a proportionate manner, technical feasibility and state of the art, the availability of data and the implementation of appropriate risk management measures so that possible shortcomings of the datasets are duly addressed.

The requirement for the datasets to be complete and free of errors should not affect the use of privacy-preserving techniques in the context of the development and testing of AI systems. Specific attention should be given to the mitigation of possible biases in the datasets, that might lead to risks to fundamental rights or discriminatory outcomes for the persons affected by the high-risk AI system. Biases can for example be inherent in underlying datasets, especially when historical data is being used, introduced by the developers of the algorithms, or generated when the systems are implemented in real world settings.

Training, validation and testing data sets should take into account, to the extent required by their intended purpose, the features, characteristics or elements that are particular to the specific geographical, behavioural or functional setting or context within which the AI system is intended to be used. In order to protect the right of others from the discrimination that might result from the bias in AI systems, the providers should be able to process also special categories of personal data, as a matter of substantial public interest, in order to ensure the bias monitoring, detection and correction in relation to high-risk AI systems. This should be done exceptionally and following the application of all applicable conditions laid down under this Regulation and in Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725.
Recital (44a) (new)(44a) When applying the principles referred to in Article 5(1)(c) of Regulation 2016/679 and Article 4(1)(c) of Regulation 2018/1725, in particular the principle of data minimisation, in regard to training, validation and testing data sets under this Regulation, due regard should be had to the full life cycle of the AI system.In accordance with the principles outlined in Article 5(1)(c) of Regulation 2016/679 and Article 4(1)(c) of Regulation 2018/1725, particularly the principle of data minimisation, careful consideration should be given to the entire life cycle of the AI system when applying these principles to training, validation, and testing data sets under this Regulation.
Recital (45)(45)  For the development of high-risk AI systems, certain actors, such as providers, notified bodies and other relevant entities, such as digital innovation hubs, testing experimentation facilities and researchers, should be able to access and use high quality datasets within their respective fields of activities which are related to this Regulation. European common data spaces established by the Commission and the facilitation of data sharing between businesses and with government in the public interest will be instrumental to provide trustful, accountable and non-discriminatory access to high quality data for the training, validation and testing of AI systems. For example, in health, the European health data space will facilitate non-discriminatory access to health data and the training of artificial intelligence algorithms on those datasets, in a privacy-preserving, secure, timely, transparent and trustworthy manner, and with an appropriate institutional governance. Relevant competent authorities, including sectoral ones, providing or supporting the access to data may also support the provision of high-quality data for the training, validation and testing of AI systems.(45)  For the development and assessment of high-risk AI systems, certain actors, such as providers, notified bodies and other relevant entities, such as digital innovation hubs, testing experimentation facilities and researchers, should be able to access and use high quality datasets within their respective fields of activities which are related to this Regulation. European common data spaces established by the Commission and the facilitation of data sharing between businesses and with government in the public interest will be instrumental to provide trustful, accountable and non-discriminatory access to high quality data for the training, validation and testing of AI systems. For example, in health, the European health data space will facilitate non-discriminatory access to health data and the training of artificial intelligence algorithms on those datasets, in a privacy-preserving, secure, timely, transparent and trustworthy manner, and with an appropriate institutional governance. Relevant competent authorities, including sectoral ones, providing or supporting the access to data may also support the provision of high-quality data for the training, validation and testing of AI systems.(45) For the development of high-risk AI systems, certain actors, such as providers, notified bodies and other relevant entities, such as digital innovation hubs, testing experimentation facilities and researchers, should be able to access and use high quality datasets within their respective fields of activities which are related to this Regulation. European common data spaces established by the Commission and the facilitation of data sharing between businesses and with government in the public interest will be instrumental to provide trustful, accountable and non-discriminatory access to high quality data for the training, validation and testing of AI systems. For example, in health, the European health data space will facilitate non-discriminatory access to health data and the training of artificial intelligence algorithms on those datasets, in a privacy-preserving, secure, timely, transparent and trustworthy manner, and with an appropriate institutional governance. Relevant competent authorities, including sectoral ones, providing or supporting the access to data may also support the provision of high-quality data for the training, validation and testing of AI systems.(45) For the development and assessment of high-risk AI systems, certain actors, such as providers, notified bodies and other relevant entities, such as digital innovation hubs, testing experimentation facilities and researchers, should be able to access and use high quality datasets within their respective fields of activities which are related to this Regulation. European common data spaces established by the Commission and the facilitation of data sharing between businesses and with government in the public interest will be instrumental to provide trustful, accountable and non-discriminatory access to high quality data for the training, validation and testing of AI systems. For example, in health, the European health data space will facilitate non-discriminatory access to health data and the training of artificial intelligence algorithms on those datasets, in a privacy-preserving, secure, timely, transparent and trustworthy manner, and with an appropriate institutional governance. Relevant competent authorities, including sectoral ones, providing or supporting the access to data may also support the provision of high-quality data for the training, validation and testing of AI systems.
Recital (45a) (new)(45a)  The right to privacy and to protection of personal data must be guaranteed throughout the entire lifecycle of the AI system. In this regard, the principles of data minimisation and data protection by design and by default, as set out in Union data protection law, are essential when the processing of data involves significant risks to the fundamental rights of individuals. Providers and users of AI systems should implement state-of-the-art technical and organisational measures in order to protect those rights. Such measures should include not only anonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allows valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselves.The right to privacy and protection of personal data must be ensured throughout the entire lifecycle of the AI system. This necessitates the application of the principles of data minimisation and data protection by design and by default, as outlined in Union data protection law, particularly when data processing poses significant risks to individuals’ fundamental rights. Providers and users of AI systems are required to implement cutting-edge technical and organisational measures to safeguard these rights. These measures should encompass not only anonymisation and encryption, but also the employment of increasingly accessible technology that enables algorithms to be brought to the data, facilitating the extraction of valuable insights without the need for data transmission between parties or unnecessary duplication of the raw or structured data.
Recital (46)(46)  Having information on how high-risk AI systems have been developed and how they perform throughout their lifecycle is essential to verify compliance with the requirements under this Regulation. This requires keeping records and the availability of a technical documentation, containing information which is necessary to assess the compliance of the AI system with the relevant requirements. Such information should include the general characteristics, capabilities and limitations of the system, algorithms, data, training, testing and validation processes used as well as documentation on the relevant risk management system. The technical documentation should be kept up to date.(46)  Having comprehensible information on how high-risk AI systems have been developed and how they perform throughout their lifetime is essential to verify compliance with the requirements under this Regulation. This requires keeping records and the availability of a technical documentation, containing information which is necessary to assess the compliance of the AI system with the relevant requirements. Such information should include the general characteristics, capabilities and limitations of the system, algorithms, data, training, testing and validation processes used as well as documentation on the relevant risk management system. The technical documentation should be kept up to date appropriately throughout the lifecycle of the AI systemAI systems can have a large important environmental impact and high energy consumption during their lifecyle. In order to better apprehend the impact of AI systems on the environment, the technical documentation drafted by providers should include information on the energy consumption of the AI system, including the consumption during development and expected consumption during use. Such information should take into account the relevant Union and national legislation. This reported information should be comprehensible, comparable and verifiable and to that end, the Commission should develop guidelines on a harmonised metholodogy for calculation and reporting of this information. To ensure that a single documentation is possible, terms and definitions related to the required documentation and any required documentation in the relevant Union legislation should be aligned as much as possible.(46) Having information on how high-risk AI systems have been developed and how they perform throughout their lifecycle is essential to verify compliance with the requirements under this Regulation. This requires keeping records and the availability of a technical documentation, containing information which is necessary to assess the compliance of the AI system with the relevant requirements. Such information should include the general characteristics, capabilities and limitations of the system, algorithms, data, training, testing and validation processes used as well as documentation on the relevant risk management system. The technical documentation should be kept up to date. Furthermore, providers or users should keep logs automatically generated by the high-risk AI system, including for instance output data, start date and time etc., to the extent that such a system and the related logs are under their control, for a period that is appropriate to enable them to fulfil their obligations.(46) Having comprehensive information on how high-risk AI systems have been developed and how they perform throughout their lifecycle is essential to verify compliance with the requirements under this Regulation. This requires keeping records and the availability of a technical documentation, containing information which is necessary to assess the compliance of the AI system with the relevant requirements. Such information should include the general characteristics, capabilities and limitations of the system, algorithms, data, training, testing and validation processes used as well as documentation on the relevant risk management system. The technical documentation should be kept up to date appropriately throughout the lifecycle of the AI system.

Furthermore, providers or users should keep logs automatically generated by the high-risk AI system, including for instance output data, start date and time etc., to the extent that such a system and the related logs are under their control, for a period that is appropriate to enable them to fulfil their obligations.

AI systems can have a large important environmental impact and high energy consumption during their lifecycle. In order to better apprehend the impact of AI systems on the environment, the technical documentation drafted by providers should include information on the energy consumption of the AI system, including the consumption during development and expected consumption during use. Such information should take into account the relevant Union and national legislation. This reported information should be comprehensible, comparable and verifiable and to that end, the Commission should develop guidelines on a harmonised methodology for calculation and reporting of this information. To ensure that a single documentation is possible, terms and definitions related to the required documentation and any required documentation in the relevant Union legislation should be aligned as much as possible.
Recital (46a) (new)(46a) AI systems should take into account state-of-the art methods and relevant applicable standards to reduce the energy use, resource use and waste, as well as to increase their energy efficiency and the overall efficiency of the system. The environmental aspects of AI systems that are significant for the purposes of this Regulation are the energy consumption of the AI system in the development, training and deployment phase as well as the recording and reporting and storing of this data. The design of AI systems should enable the measurement and logging of the consumption of energy and resources at each stage of development, training and deployment. The monitoring and reporting of the emissions of AI systems must be robust, transparent, consistent and accurate. In order to ensure the uniform application of this Regulation and stable legal ecosystem for providers and deployers in the Single Market, the Commission should develop a common specification for the methodology to fulfil the reporting and documentation requirement on the consumption of energy and resources during development, training and deployment. Such common specifications on measurement methodology can develop a baseline upon which the Commission can better decide if future regulatory interventions are needed, upon conducting an impact assessment that takes into account existing law.AI systems should incorporate state-of-the-art methods and relevant standards to minimize energy and resource use, and waste, while maximizing energy efficiency and overall system efficiency. Significant environmental aspects of AI systems under this Regulation include energy consumption during development, training, and deployment phases, as well as the recording, reporting, and storage of this data.

The design of AI systems should facilitate the measurement and logging of energy and resource consumption at each stage of development, training, and deployment. The monitoring and reporting of AI system emissions must be robust, transparent, consistent, and accurate.

To ensure uniform application of this Regulation and a stable legal ecosystem for providers and deployers in the Single Market, the Commission should develop a common specification for the methodology to meet the reporting and documentation requirements on energy and resource consumption during development, training, and deployment.

These common specifications on measurement methodology can establish a baseline, enabling the Commission to make informed decisions about future regulatory interventions, based on an impact assessment that considers existing law.
Recital (46b) (new)(46b)  In order to achieve the objectives of this Regulation, and contribute to the Union’s environmental objectives while ensuring the smooth functioning of the internal market, it may be necessary to establish recommendations and guidelines and, eventually, targets for sustainability. For that purpose the Commission is entitled to develop a methodology to contribute towards having Key Performance Indicators (KPIs) and a reference for the Sustainable Development Goals (SDGs). The goal should be in the first instance to enable fair comparison between AI implementation choices providing incentives to promote using more efficient AI technologies addressing energy and resource concerns. To meet this objective this Regulation should provide the means to establish a baseline collection of data reported on the emissions from development and training and for deployment.In order to achieve the objectives of this Regulation and contribute to the Union’s environmental objectives while ensuring the smooth functioning of the internal market, it may be necessary to establish recommendations, guidelines, and potentially, sustainability targets. To this end, the Commission is authorized to develop a methodology to contribute towards the establishment of Key Performance Indicators (KPIs) and a reference for the Sustainable Development Goals (SDGs). The primary goal should be to enable a fair comparison between AI implementation choices, providing incentives to promote the use of more efficient AI technologies that address energy and resource concerns. To meet this objective, this Regulation should provide the means to establish a baseline collection of data reported on the emissions from development, training, and deployment of AI technologies.
Recital (47)(47) To address the opacity that may make certain AI systems incomprehensible to or too complex for natural persons, a certain degree of transparency should be required for high-risk AI systems. Users should be able to interpret the system output and use it appropriately. High-risk AI systems should therefore be accompanied by relevant documentation and instructions of use and include concise and clear information, including in relation to possible risks to fundamental rights and discrimination, where appropriate.(47) To address the opacity that may make certain AI systems incomprehensible to or too complex for natural persons, a certain degree of transparency should be required for high-risk AI systems. Users should be able to interpret the system output and use it appropriately. High-risk AI systems should therefore be accompanied by relevant documentation and instructions of use and include concise and clear information, including in relation to possible risks to fundamental rights and discrimination, where appropriate.(47) To address the opacity that may make certain AI systems incomprehensible to or too complex for natural persons, a certain degree of transparency should be required for high- risk AI systems. Users should be able to interpret the system output and use it appropriately. High-risk AI systems should therefore be accompanied by relevant documentation and instructions of use and include concise and clear information, including in relation to possible risks to fundamental rights and discrimination of the persons who may be affected by the system in light of its intended purpose, where appropriate. To facilitate the understanding of the instructions of use by users, they should contain illustrative examples, as appropriate.(47) To address the opacity that may make certain AI systems incomprehensible to or too complex for natural persons, a certain degree of transparency should be required for high-risk AI systems. Users should be able to interpret the system output and use it appropriately. High-risk AI systems should therefore be accompanied by relevant documentation and instructions of use and include concise and clear information, including in relation to possible risks to fundamental rights and discrimination of the persons who may be affected by the system in light of its intended purpose, where appropriate. To facilitate the understanding of the instructions of use by users, they should contain illustrative examples, as appropriate.
Recital (47a) (new)(47a)  Such requirements on transparency and on the explicability of AI decision-making should also help to counter the deterrent effects of digital asymmetry and so-called ‘dark patterns’ targeting individuals and their informed consent.The requirements on transparency and the explicability of AI decision-making should be implemented to counteract the deterrent effects of digital asymmetry and the so-called ‘dark patterns’ that target individuals and their informed consent.
Recital (48)High-risk AI systems should be designed and developed in such a way that natural persons can oversee their functioning. For this purpose, appropriate human oversight measures should be identified by the provider of the system before its placing on the market or putting into service. In particular, where appropriate, such measures should guarantee that the system is subject to in-built operational constraints that cannot be overridden by the system itself and is responsive to the human operator, and that the natural persons to whom human oversight has been assigned have the necessary competence, training and authority to carry out that role.High-risk AI systems should be designed and developed in such a way that natural persons can oversee their functioning. For this purpose, appropriate human oversight measures should be identified by the provider of the system before its placing on the market or putting into service. In particular, where appropriate, such measures should guarantee that the system is subject to in-built operational constraints that cannot be overridden by the system itself and is responsive to the human operator, and that the natural persons to whom human oversight has been assigned have the necessary competence, training and authority to carry out that role.(48) High-risk AI systems should be designed and developed in such a way that natural persons can oversee their functioning. For this purpose, appropriate human oversight measures should be identified by the provider of the system before its placing on the market or putting into service. In particular, where appropriate, such measures should guarantee that the system is subject to in-built operational constraints that cannot be overridden by the system itself and is responsive to the human operator, and that the natural persons to whom human oversight has been assigned have the necessary competence, training and authority to carry out that role. Considering the significant consequences for persons in case of incorrect matches by certain biometric identification systems, it is appropriate to provide for an enhanced human oversight requirement for those systems so that no action or decision may be taken by the user on the basis of the identification resulting from the system unless this has been separately verified and confirmed by at least two natural persons. Those persons could be from one or more entities and include the person operating or using the system. This requirement should not pose unnecessary burden or delays and it could be sufficient that the separate verifications by the different persons are automatically recorded in the logs generated by the system.High-risk AI systems should be designed and developed in such a way that natural persons can oversee their functioning. For this purpose, appropriate human oversight measures should be identified by the provider of the system before its placing on the market or putting into service. In particular, where appropriate, such measures should guarantee that the system is subject to in-built operational constraints that cannot be overridden by the system itself and is responsive to the human operator, and that the natural persons to whom human oversight has been assigned have the necessary competence, training and authority to carry out that role. Considering the significant consequences for persons in case of incorrect matches by certain biometric identification systems, it is appropriate to provide for an enhanced human oversight requirement for those systems so that no action or decision may be taken by the user on the basis of the identification resulting from the system unless this has been separately verified and confirmed by at least two natural persons. Those persons could be from one or more entities and include the person operating or using the system. This requirement should not pose unnecessary burden or delays and it could be sufficient that the separate verifications by the different persons are automatically recorded in the logs generated by the system.
Recital (49)(49)  High-risk AI systems should perform consistently throughout their lifecycle and meet an appropriate level of accuracy, robustness and cybersecurity in accordance with the generally acknowledged state of the art. The level of accuracy and accuracy metrics should be communicated to the users.(49)  High-risk AI systems should perform consistently throughout their lifecycle and meet an appropriate level of accuracy, robustness and cybersecurity in accordance with the generally acknowledged state of the art. Performance metrics and their expected level should be defined with the primary objective to mitigate risks and negative impact of the AI system. The expected level of performance metrics should be communicated in a clear, transparent, easily understandable and intelligible way to the deployersThe declaration of performance metrics cannot be considered proof of future levels, but relevant methods need to be applied to ensure consistent levels during use While standardisation organisations exist to establish standards, coordination on benchmarking is needed to establish how these standardised requirements and characteristics of AI systems should be measured. The European Artificial Intelligence Office should bring together national and international metrology and benchmarking authorities and provide non-binding guidance to address the technical aspects of how to measure the appropriate levels of performance and robustness.(49) High-risk AI systems should perform consistently throughout their lifecycle and meet an appropriate level of accuracy, robustness and cybersecurity in accordance with the generally acknowledged state of the art. The level of accuracy and accuracy metrics should be communicated to the users.(49) High-risk AI systems should perform consistently throughout their lifecycle and meet an appropriate level of accuracy, robustness and cybersecurity in accordance with the generally acknowledged state of the art. Performance metrics and their expected level should be defined with the primary objective to mitigate risks and negative impact of the AI system. The level of accuracy and accuracy metrics should be communicated to the users and deployers in a clear, transparent, easily understandable and intelligible way. The declaration of performance metrics cannot be considered proof of future levels, but relevant methods need to be applied to ensure consistent levels during use. While standardisation organisations exist to establish standards, coordination on benchmarking is needed to establish how these standardised requirements and characteristics of AI systems should be measured. The European Artificial Intelligence Office should bring together national and international metrology and benchmarking authorities and provide non-binding guidance to address the technical aspects of how to measure the appropriate levels of performance and robustness.
Recital (50)(50)  The technical robustness is a key requirement for high-risk AI systems. They should be resilient against risks connected to the limitations of the system (e.g. errors, faults, inconsistencies, unexpected situations) as well as against malicious actions that may compromise the security of the AI system and result in harmful or otherwise undesirable behaviour. Failure to protect against these risks could lead to safety impacts or negatively affect the fundamental rights, for example due to erroneous decisions or wrong or biased outputs generated by the AI system.(50)  The technical robustness is a key requirement for high-risk AI systems. They should be resilient against risks connected to the limitations of the system (e.g. errors, faults, inconsistencies, unexpected situations) as well as against malicious actions that may compromise the security of the AI system and result in harmful or otherwise undesirable behaviour. Failure to protect against these risks could lead to safety impacts or negatively affect the fundamental rights, for example due to erroneous decisions or wrong or biased outputs generated by the AI system. Users of the AI system should take steps to ensure that the possible trade-off between robustness and accuracy does not lead to discriminatory or negative outcomes for minority subgroups.(50) The technical robustness is a key requirement for high-risk AI systems. They should be resilient in relation to harmful or otherwise undesirable behaviour that may result from limitations within the systems or the environment in which the systems operate (e.g. errors, faults, inconsistencies, unexpected situations). High-risk AI systems should therefore be designed and developed with appropriate technical solutions to prevent or minimize that harmful or otherwise undesirable behaviour, such as for instance mechanisms enabling the system to safely interrupt its operation (fail-safe plans) in the presence of certain anomalies or when operation takes place outside certain predetermined boundaries. Failure to protect against these risks could lead to safety impacts or negatively affect the fundamental rights, for example due to erroneous decisions or wrong or biased outputs generated by the AI system.(50) The technical robustness is a key requirement for high-risk AI systems. They should be resilient against risks connected to the limitations of the system (e.g. errors, faults, inconsistencies, unexpected situations) as well as against malicious actions that may compromise the security of the AI system and result in harmful or otherwise undesirable behaviour. High-risk AI systems should therefore be designed and developed with appropriate technical solutions to prevent or minimize that harmful or otherwise undesirable behaviour, such as for instance mechanisms enabling the system to safely interrupt its operation (fail-safe plans) in the presence of certain anomalies or when operation takes place outside certain predetermined boundaries. Users of the AI system should take steps to ensure that the possible trade-off between robustness and accuracy does not lead to discriminatory or negative outcomes for minority subgroups. Failure to protect against these risks could lead to safety impacts or negatively affect the fundamental rights, for example due to erroneous decisions or wrong or biased outputs generated by the AI system.
Recital (51)(51)  Cybersecurity plays a crucial role in ensuring that AI systems are resilient against attempts to alter their use, behaviour, performance or compromise their security properties by malicious third parties exploiting the system’s vulnerabilities. Cyberattacks against AI systems can leverage AI specific assets, such as training data sets (e.g. data poisoning) or trained models (e.g. adversarial attacks), or exploit vulnerabilities in the AI system’s digital assets or the underlying ICT infrastructure. To ensure a level of cybersecurity appropriate to the risks, suitable measures should therefore be taken by the providers of high-risk AI systems, also taking into account as appropriate the underlying ICT infrastructure.(51)  Cybersecurity plays a crucial role in ensuring that AI systems are resilient against attempts to alter their use, behaviour, performance or compromise their security properties by malicious third parties exploiting the system’s vulnerabilities. Cyberattacks against AI systems can leverage AI specific assets, such as training data sets (e.g. data poisoning) or trained models (e.g. adversarial attacks or confidentiality attacks), or exploit vulnerabilities in the AI system’s digital assets or the underlying ICT infrastructure. To ensure a level of cybersecurity appropriate to the risks, suitable measures should therefore be taken by the providers of high-risk AI systems, as well as the notified bodies, competent national authorities and market surveillance authorities, also taking into account as appropriate the underlying ICT infrastructure. High-risk AI should be accompanied by security solutions and patches for the lifetime of the product, or in case of the absence of dependence on a specific product, for a time that needs to be stated by the manufacturer.(51) Cybersecurity plays a crucial role in ensuring that AI systems are resilient against attempts to alter their use, behaviour, performance or compromise their security properties by malicious third parties exploiting the system’s vulnerabilities. Cyberattacks against AI systems can leverage AI specific assets, such as training data sets (e.g. data poisoning) or trained models (e.g. adversarial attacks), or exploit vulnerabilities in the AI system’s digital assets or the underlying ICT infrastructure. To ensure a level of cybersecurity appropriate to the risks, suitable measures should therefore be taken by the providers of high-risk AI systems, also taking into account as appropriate the underlying ICT infrastructure.(51) Cybersecurity plays a crucial role in ensuring that AI systems are resilient against attempts to alter their use, behaviour, performance or compromise their security properties by malicious third parties exploiting the system’s vulnerabilities. Cyberattacks against AI systems can leverage AI specific assets, such as training data sets (e.g. data poisoning) or trained models (e.g. adversarial attacks or confidentiality attacks), or exploit vulnerabilities in the AI system’s digital assets or the underlying ICT infrastructure. To ensure a level of cybersecurity appropriate to the risks, suitable measures should therefore be taken by the providers of high-risk AI systems, as well as the notified bodies, competent national authorities and market surveillance authorities, also taking into account as appropriate the underlying ICT infrastructure. High-risk AI should be accompanied by security solutions and patches for the lifetime of the product, or in case of the absence of dependence on a specific product, for a time that needs to be stated by the manufacturer.
Recital (52)(52) As part of Union harmonisation legislation, rules applicable to the placing on the market, putting into service and use of high-risk AI systems should be laid down consistently with Regulation (EC) No 765/2008 of the European Parliament and of the Council51 setting out the requirements for accreditation and the market surveillance of products, Decision No 768/2008/EC of the European Parliament and of the Council52 on a common framework for the marketing of products and Regulation (EU) 2019/1020 of the European Parliament and of the Council53 on market surveillance and compliance of products (‘New Legislative Framework for the marketing of products’).

–––––
51. Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).

52. Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).

53. Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (Text with EEA relevance) (OJ L 169, 25.6.2019, p. 1–44).		(52) As part of Union harmonisation legislation, rules applicable to the placing on the market, putting into service and use of high-risk AI systems should be laid down consistently with Regulation (EC) No 765/2008 of the European Parliament and of the Council51 setting out the requirements for accreditation and the market surveillance of products, Decision No 768/2008/EC of the European Parliament and of the Council52 on a common framework for the marketing of products and Regulation (EU) 2019/1020 of the European Parliament and of the Council53 on market surveillance and compliance of products (‘New Legislative Framework for the marketing of products’).

–––––
51. Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).

52. Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).

53. Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (Text with EEA relevance) (OJ L 169, 25.6.2019, p. 1–44).		(52) As part of Union harmonisation legislation, rules applicable to the placing on the market, putting into service and use of high-risk AI systems should be laid down consistently with Regulation (EC) No 765/2008 of the European Parliament and of the Council22 setting out the requirements for accreditation and the market surveillance of products, Decision No 768/2008/EC of the European Parliament and of the Council23 on a common framework for the marketing of products and Regulation (EU) 2019/1020 of the European Parliament and of the Council24 on market surveillance and compliance of products (‘New Legislative Framework for the marketing of products’).

––
22. Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).

23. Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).

24. Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (Text with EEA relevance) (OJ L 169, 25.6.2019, p. 1–44).		(52) As part of Union harmonisation legislation, rules applicable to the placing on the market, putting into service and use of high-risk AI systems should be laid down consistently with Regulation (EC) No 765/2008 of the European Parliament and of the Council setting out the requirements for accreditation and the market surveillance of products, Decision No 768/2008/EC of the European Parliament and of the Council on a common framework for the marketing of products and Regulation (EU) 2019/1020 of the European Parliament and of the Council on market surveillance and compliance of products (‘New Legislative Framework for the marketing of products’).

–––––
Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).

Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).

Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (Text with EEA relevance) (OJ L 169, 25.6.2019, p. 1–44).
Recital (52a) (new)(52a) In line with New Legislative Framework principles, specific obligations for relevant operators within the AI value chain should be set to ensure legal certainty and facilitate compliance with this Regulation. In certain situations those operators could act in more than one role at the same time and should therefore fufil cumulatively all relevant obligations associated with those roles. For example, an operator could act as a distributor and an importer at the same time.In accordance with the principles of the New Legislative Framework, it is necessary to establish specific obligations for relevant operators within the AI value chain to ensure legal certainty and facilitate compliance with this Regulation. It should be noted that in certain situations, these operators may assume multiple roles simultaneously and are therefore required to fulfill all relevant obligations associated with those roles. For instance, an operator could function as both a distributor and an importer, thereby needing to meet the responsibilities of both roles.
Recital (53)(53) It is appropriate that a specific natural or legal person, defined as the provider, takes the responsibility for the placing on the market or putting into service of a high-risk AI system, regardless of whether that natural or legal person is the person who designed or developed the system.(53) It is appropriate that a specific natural or legal person, defined as the provider, takes the responsibility for the placing on the market or putting into service of a high-risk AI system, regardless of whether that natural or legal person is the person who designed or developed the system.(53) It is appropriate that a specific natural or legal person, defined as the provider, takes the responsibility for the placing on the market or putting into service of a high-risk AI system, regardless of whether that natural or legal person is the person who designed or developed the system.(53) It is appropriate that a specific natural or legal person, defined as the provider, takes the responsibility for the placing on the market or putting into service of a high-risk AI system, regardless of whether that natural or legal person is the person who designed or developed the system.
Recital (53a) (new)(53a) As signatories to the United Nations Convention on the Rights of Persons with Disabilities (UNCRPD), the Union and the Member States are legally obliged to protect persons with disabilities from discrilmination and promote their equality, to ensure that persons with disabilities have access, on an equal basis wirh others, to information and communications technologies and systems, and to ensure respect for privacy for persons with disabilities. Given the growing importance and use of AI systems, the application of universal design principles to all new technologies and services should ensure full, equal, and unrestricted access for everyone potentially affected by or using AI technologies, including persons with disabilities, in a way that takes full account of their inherent dignity and diversity. It is therefore essential that Providers ensure full compliance with accessibility requirements, including Directive (EU) 2016/2102 and Directive (EU) 2019/882. Providers should ensure compliance with these requirements by design. Therefore, the necessary measures should be integrated as much as possible into the design of the high-risk AI system.As signatories to the United Nations Convention on the Rights of Persons with Disabilities (UNCRPD), the Union and the Member States are legally bound to protect persons with disabilities from discrimination and promote their equality. This includes ensuring that persons with disabilities have equal access to information and communications technologies and systems, and that their privacy is respected. Given the increasing importance and use of AI systems, it is crucial that universal design principles are applied to all new technologies and services. This will ensure full, equal, and unrestricted access for everyone potentially affected by or using AI technologies, including persons with disabilities, while respecting their inherent dignity and diversity. Therefore, it is essential that Providers comply fully with accessibility requirements, including Directive (EU) 2016/2102 and Directive (EU) 2019/882. Providers should ensure compliance with these requirements by design, integrating the necessary measures as much as possible into the design of the high-risk AI system.
Recital (54)(54)  The provider should establish a sound quality management system, ensure the accomplishment of the required conformity assessment procedure, draw up the relevant documentation and establish a robust post-market monitoring system. Public authorities which put into service high-risk AI systems for their own use may adopt and implement the rules for the quality management system as part of the quality management system adopted at a national or regional level, as appropriate, taking into account the specificities of the sector and the competences and organisation of the public authority in question.(54)  The provider should establish a sound quality management system, ensure the accomplishment of the required conformity assessment procedure, draw up the relevant documentation and establish a robust post-market monitoring system. For providers that have already in place quality management systems based on standards such as ISO 9001 or other relevant standards, no duplicative quality management system in full should be expected but rather an adaptation of their existing systems to certain aspects linked to compliance with specific requirements of this Regulation. This should also be reflected in future standardization activities or guidance adopted by the Commission in this respect. Public authorities which put into service high-risk AI systems for their own use may adopt and implement the rules for the quality management system as part of the quality management system adopted at a national or regional level, as appropriate, taking into account the specificities of the sector and the competences and organisation of the public authority in question.(54) The provider should establish a sound quality management system, ensure the accomplishment of the required conformity assessment procedure, draw up the relevant documentation and establish a robust post-market monitoring system. Public authorities which put into service high-risk AI systems for their own use may adopt and implement the rules for the quality management system as part of the quality management system adopted at a national or regional level, as appropriate, taking into account the specificities of the sector and the competences and organisation of the public authority in question.(54) The provider should establish a sound quality management system, ensure the accomplishment of the required conformity assessment procedure, draw up the relevant documentation and establish a robust post-market monitoring system. For providers that have already in place quality management systems based on standards such as ISO 9001 or other relevant standards, no duplicative quality management system in full should be expected but rather an adaptation of their existing systems to certain aspects linked to compliance with specific requirements of this Regulation. This should also be reflected in future standardization activities or guidance adopted by the Commission in this respect. Public authorities which put into service high-risk AI systems for their own use may adopt and implement the rules for the quality management system as part of the quality management system adopted at a national or regional level, as appropriate, taking into account the specificities of the sector and the competences and organisation of the public authority in question.
Recital (54a) (new)(54a) To ensure legal certainty, it is necessary to clarify that, under certain specific conditions, any natural or legal person should be considered a provider of a new high-risk AI system and therefore assume all the relevant obligations. For example, this would be the case if that person puts its name or trademark on a high-risk AI system already placed on the market or put into service, or if that person modifies the intended purpose of an AI system which is not high-risk and is already placed on the market or put into service, in a way that makes the modified system a high-risk AI system. These provisions should apply without prejudice to more specific provisions established in certain New Legislative Framework sectorial legislation with which this Regulation should apply jointly. For example, Article 16, paragraph 2 of Regulation 745/2017, establishing that certain changes should not be considered modifications of a device that could affect its compliance with the applicable requirements, should continue to apply to high-risk AI systems that are medical devices within the meaning of that Regulation.To ensure legal certainty, it should be clarified that under specific conditions, any natural or legal person may be considered a provider of a new high-risk AI system and therefore assume all the relevant obligations. This would apply if that person puts their name or trademark on a high-risk AI system already placed on the market or put into service, or if they modify the intended purpose of an AI system which is not high-risk and is already placed on the market or put into service, in a way that makes the modified system a high-risk AI system. These provisions should apply without prejudice to more specific provisions established in certain New Legislative Framework sectorial legislation with which this Regulation should apply jointly. For instance, Article 16, paragraph 2 of Regulation 745/2017, establishing that certain changes should not be considered modifications of a device that could affect its compliance with the applicable requirements, should continue to apply to high-risk AI systems that are medical devices within the meaning of that Regulation.
Recital (55)(55) Where a high-risk AI system that is a safety component of a product which is covered by a relevant New Legislative Framework sectorial legislation is not placed on the market or put into service independently from the product, the manufacturer of the final product as defined under the relevant New Legislative Framework legislation should comply with the obligations of the provider established in this Regulation and notably ensure that the AI system embedded in the final product complies with the requirements of this Regulation.(55) Where a high-risk AI system that is a safety component of a product which is covered by a relevant New Legislative Framework sectorial legislation is not placed on the market or put into service independently from the product, the manufacturer of the final product as defined under the relevant New Legislative Framework legislation should comply with the obligations of the provider established in this Regulation and notably ensure that the AI system embedded in the final product complies with the requirements of this Regulation.(55) Where a high-risk AI system that is a safety component of a product which is covered by a relevant New Legislative Framework sectorial legislation is not placed on the market or put into service independently from the product, the product manufacturer as defined under the relevant New Legislative Framework legislation should comply with the obligations of the provider established in this Regulation and notably ensure that the AI system embedded in the final product complies with the requirements of this Regulation.(55) Where a high-risk AI system that is a safety component of a product which is covered by a relevant New Legislative Framework sectorial legislation is not placed on the market or put into service independently from the product, the manufacturer of the final product, also referred to as the product manufacturer, as defined under the relevant New Legislative Framework legislation should comply with the obligations of the provider established in this Regulation and notably ensure that the AI system embedded in the final product complies with the requirements of this Regulation.
Recital (56)(56)  To enable enforcement of this Regulation and create a level-playing field for operators, and taking into account the different forms of making available of digital products, it is important to ensure that, under all circumstances, a person established in the Union can provide authorities with all the necessary information on the compliance of an AI system. Therefore, prior to making their AI systems available in the Union, where an importer cannot be identified, providers established outside the Union shall, by written mandate, appoint an authorised representative established in the Union.(56)  To enable enforcement of this Regulation and create a level-playing field for operators, and taking into account the different forms of making available of digital products, it is important to ensure that, under all circumstances, a person established in the Union can provide authorities with all the necessary information on the compliance of an AI system. Therefore, prior to making their AI systems available in the Union, providers established outside the Union shall, by written mandate, appoint an authorised representative established in the Union.(56) To enable enforcement of this Regulation and create a level-playing field for operators, and taking into account the different forms of making available of digital products, it is important to ensure that, under all circumstances, a person established in the Union can provide authorities with all the necessary information on the compliance of an AI system. Therefore, prior to making their AI systems available in the Union, where an importer cannot be identified, providers established outside the Union shall, by written mandate, appoint an authorised representative established in the Union.(56) To enable enforcement of this Regulation and create a level-playing field for operators, and taking into account the different forms of making available of digital products, it is important to ensure that, under all circumstances, a person established in the Union can provide authorities with all the necessary information on the compliance of an AI system. Therefore, prior to making their AI systems available in the Union, where an importer cannot be identified, providers established outside the Union shall, by written mandate, appoint an authorised representative established in the Union.
Recital (56a) (new)(56a) For providers who are not established in the Union, the authorised representative plays a pivotal role in ensuring the compliance of the high-risk AI systems placed on the market or put into service in the Union by those providers and in serving as their contact person established in the Union. Given that pivotal role, and in order to ensure that responsibility is assumed for the purposes of enforcement of this Regulation, it is appropriate to make the authorised representative jointly and severally liable with the provider for defective high- risk AI systems. The liability of the authorised representative provided for in this Regulation is without prejudice to the provisions of Directive 85/374/EEC on liability for defective products.For providers not established in the Union, the authorised representative plays a crucial role in ensuring the compliance of high-risk AI systems placed on the market or put into service in the Union by those providers. They also serve as their contact person established in the Union. Given this crucial role, and to ensure that responsibility is assumed for the enforcement of this Regulation, it is appropriate to make the authorised representative jointly and severally liable with the provider for defective high-risk AI systems. This liability of the authorised representative under this Regulation does not prejudice the provisions of Directive 85/374/EEC on liability for defective products.
Recital (57)(57) In line with New Legislative Framework principles, specific obligations for relevant economic operators, such as importers and distributors, should be set to ensure legal certainty and facilitate regulatory compliance by those relevant operators.(57) In line with New Legislative Framework principles, specific obligations for relevant economic operators, such as importers and distributors, should be set to ensure legal certainty and facilitate regulatory compliance by those relevant operators.deletedNone
Recital (58)(58)  Given the nature of AI systems and the risks to safety and fundamental rights possibly associated with their use, including as regard the need to ensure proper monitoring of the performance of an AI system in a real-life setting, it is appropriate to set specific responsibilities for users. Users should in particular use high-risk AI systems in accordance with the instructions of use and certain other obligations should be provided for with regard to monitoring of the functioning of the AI systems and with regard to record-keeping, as appropriate.(58)  Given the nature of AI systems and the risks to safety and fundamental rights possibly associated with their use, including as regards the need to ensure proper monitoring of the performance of an AI system in a real-life setting, it is appropriate to set specific responsibilities for deployers. Deployers should in particular use high-risk AI systems in accordance with the instructions of use and certain other obligations should be provided for with regard to monitoring of the functioning of the AI systems and with regard to record-keeping, as appropriate.(58) Given the nature of AI systems and the risks to safety and fundamental rights possibly associated with their use, including as regard the need to ensure proper monitoring of the performance of an AI system in a real-life setting, it is appropriate to set specific responsibilities for users. Users should in particular use high-risk AI systems in accordance with the instructions of use and certain other obligations should be provided for with regard to monitoring of the functioning of the AI systems and with regard to record-keeping, as appropriate. These obligations should be without prejudice to other user obligations in relation to high-risk AI systems under Union or national law, and should not apply where the use is made in the course of a personal non-professional activity. (58) Given the nature of AI systems and the risks to safety and fundamental rights possibly associated with their use, including as regards the need to ensure proper monitoring of the performance of an AI system in a real-life setting, it is appropriate to set specific responsibilities for users and deployers. Users and deployers should in particular use high-risk AI systems in accordance with the instructions of use and certain other obligations should be provided for with regard to monitoring of the functioning of the AI systems and with regard to record-keeping, as appropriate. These obligations should be without prejudice to other user or deployer obligations in relation to high-risk AI systems under Union or national law, and should not apply where the use is made in the course of a personal non-professional activity.
Recital (58a) (new) [C](58a) It is appropriate to clarify that this Regulation does not affect the obligations of providers and users of AI systems in their role as data controllers or processors stemming from Union law on the protection of personal data in so far as the design, the development or the use of AI systems involves the processing of personal data. It is also appropriate to clarify that data subjects continue to enjoy all the rights and guarantees awarded to them by such Union law, including the rights related to solely automated individual decision-making, including profiling. Harmonised rules for the placing on the market, the putting into service and the use of AI systems established under this Regulation should facilitate the effective implementation and enable the exercise of the data subjects’ rights and other remedies guaranteed under Union law on the protection of personal data and of other fundamental rights.This Regulation should clarify that it does not impact the obligations of AI system providers and users in their capacity as data controllers or processors under Union law on personal data protection, particularly when the design, development, or use of AI systems involves personal data processing. It should also be clear that data subjects retain all rights and guarantees provided by such Union law, including those related to solely automated individual decision-making and profiling. The harmonised rules for the marketing, commissioning, and use of AI systems under this Regulation should facilitate effective implementation and enable the exercise of data subjects’ rights and other remedies guaranteed under Union law on personal data protection and other fundamental rights.
Recital (58a) (new) [P](58a) Whilst risks related to AI systems can result from the way such systems are designed, risks can as well stem from how such AI systems are used. Deployers of high-risk AI system therefore play a critical role in ensuring that fundamental rights are protected, complementing the obligations of the provider when developing the AI system. Deployers are best placed to understand how the high-risk AI system will be used concretely and can therefore identify potential significant risks that were not foreseen in the development phase, due to a more precise knowledge of the context of use, the people or groups of people likely to be affected, including marginalised and vulnerable groups. Deployers should identify appropriate governance structures in that specific context of use, such as arrangements for human oversight, complaint-handling procedures and redress procedures, because choices in the governance structures can be instrumental in mitigating risks to fundamental rights in concrete use-cases. In order to efficiently ensure that fundamental rights are protected, the deployer of high-risk AI systems should therefore carry out a fundamental rights impact assessment prior to putting it into use. The impact assessment should be accompanied by a detailed plan describing the measures or tools that will help mitigating the risks to fundamental rights identified at the latest from the time of putting it into use. If such plan cannot be identified, the deployer should refrain from putting the system into use. When performing this impact assessment, the deployer should notify the national supervisory authority and, to the best extent possible relevant stakeholders as well as representatives of groups of persons likely to be affected by the AI system in order to collect relevant information which is deemed necessary to perform the impact assessment and are encouraged to make the summary of their fundamental rights impact assessment publicly available on their online website. This obligations should not apply to SMEs which, given the lack of resrouces, might find it difficult to perform such consultation. Nevertheless, they should also strive to invole such representatives when carrying out their fundamental rights impact assessment.In addition, given the potential impact and the need for democratic oversight and scrutiny, deployers of high-risk AI systems that are public authorities or Union institutions, bodies, offices and agencies, as well deployers who are undertakings designated as a gatekeeper under Regulation (EU) 2022/1925 should be required to register the use of any high-risk AI system in a public database. Other deployers may voluntarily register.While acknowledging that risks related to AI systems can arise from their design, it is also recognized that risks can stem from how these systems are used. Therefore, deployers of high-risk AI systems play a crucial role in ensuring the protection of fundamental rights, supplementing the responsibilities of the provider during the development of the AI system. Given their understanding of the specific use of the high-risk AI system, deployers are in a position to identify potential significant risks that may not have been anticipated during the development phase. This understanding is based on their knowledge of the context of use, the individuals or groups likely to be affected, including marginalized and vulnerable groups.

Deployers are therefore required to identify suitable governance structures in the specific context of use, such as arrangements for human oversight, complaint-handling procedures, and redress procedures. These governance structures can play a key role in mitigating risks to fundamental rights in specific use-cases. To effectively ensure the protection of fundamental rights, deployers of high-risk AI systems should conduct a fundamental rights impact assessment before deploying the system. This assessment should be accompanied by a detailed plan outlining the measures or tools that will help mitigate the identified risks to fundamental rights from the time of deployment. If such a plan cannot be identified, the deployer should refrain from deploying the system.

When conducting this impact assessment, the deployer should inform the national supervisory authority and, to the best extent possible, relevant stakeholders and representatives of groups likely to be affected by the AI system. This is to gather necessary information for the impact assessment. Deployers are encouraged to make the summary of their fundamental rights impact assessment publicly available on their online website. However, this obligation should not apply to SMEs, which may find it difficult to perform such consultation due to resource constraints. Nevertheless, they should also strive to involve such representatives when conducting their fundamental rights impact assessment.

Furthermore, considering the potential impact and the need for democratic oversight and scrutiny, deployers of high-risk AI systems that are public authorities or Union institutions, bodies, offices, and agencies, as well as deployers designated as gatekeepers under Regulation (EU) 2022/1925, should be required to register the use of any high-risk AI system in a public database. Other deployers may register voluntarily.
Recital (59)(59)  It is appropriate to envisage that the user of the AI system should be the natural or legal person, public authority, agency or other body under whose authority the AI system is operated except where the use is made in the course of a personal non-professional activity.(59)  It is appropriate to envisage that the deployer of the AI system should be the natural or legal person, public authority, agency or other body under whose authority the AI system is operated except where the use is made in the course of a personal non-professional activity.deleted(59) It is appropriate to envisage that the entity, whether a natural or legal person, public authority, agency or other body under whose authority the AI system is operated, should be considered the user or deployer of the AI system, except where the use is made in the course of a personal non-professional activity.
Recital (60)(60)  In the light of the complexity of the artificial intelligence value chain, relevant third parties, notably the onesinvolved in the sale and the supply of software, software tools and components, pre-trained models and data, or providers of network services, should cooperate, as appropriate, with providers and users to enable their compliance with the obligations under this Regulation and with competent authorities established under this Regulation.(60)  Within the AI value chain multiple entities often supply tools and services but also components or processes that are then incorporated by the provider into the AI system, including in relation to data collection and pre-processing, model training, model retraining, model testing and evaluation, integration into software, or other aspects of model development. The involved entities may make their offering commercially available directly or indirectly, through interfaces, such as Application Programming Interfaces (API), and distributed under free and open source licenses but also more and more by AI workforce platforms, trained parameters resale, DIY kits to build models or the offering of paying access to a model serving architecture to develop and train models. In the light of this complexity of the AI value chain, all relevant third parties, in particular those that are involved in the development, sale and the commercialsupply of software tools, components, pre-trained models or data incorporated into the AI system, or providers of network services, should without compromising their own intellectual property rights or trade secrets, make available the required information, training or expertise and cooperate, as appropriate, with providers to enable their control over all compliance relevant aspects of the AI system that falls under this Regulation. To allow a cost-effective AI value chain governance, the level of control shall be explicitly disclosed by each third party that supplies the provider with a tool, service, component or process that is later incorporated by the provider into the AI system.deleted(60) Given the complexity of the artificial intelligence value chain, which often involves multiple entities supplying tools, services, components, or processes that are incorporated into the AI system, all relevant third parties, particularly those involved in the development, sale, and commercial supply of software tools, components, pre-trained models, or data, or providers of network services, should cooperate, as appropriate, with providers and users. This cooperation should enable their compliance with the obligations under this Regulation and with competent authorities established under this Regulation, without compromising their own intellectual property rights or trade secrets. These third parties should make available the required information, training, or expertise to enable control over all compliance-relevant aspects of the AI system that falls under this Regulation. The level of control should be explicitly disclosed by each third party that supplies the provider with a tool, service, component, or process that is later incorporated by the provider into the AI system, to allow for cost-effective AI value chain governance.
Recital (60a) (new)(60a)  Where one party is in a stronger bargaining position, there is a risk that that party could leverage such position to the detriment of the other contracting party when negotiating the supply of tools, services, components or processes that are used or integrated in a high risk AI system or the remedies for the breach or the termination of related obligations. Such contractual imbalances particularly harm micro, small and medium-sized enterprises as well as start-ups, unless they are owned or sub-contracted by an enterprise which is able to compensate the sub-contractor appropriately, as they are without a meaningful ability to negotiate the conditions of the contractual agreement, and may have no other choice than to accept ‘take-it-or-leave-it’ contractual terms. Therefore, unfair contract terms regulating the supply of tools, services, components or processes that are used or integrated in a high risk AI system or the remedies for the breach or the termination of related obligations should not be binding to such micro, small or medium-sized enterprises and start-ups when they have been unilaterally imposed on them.In situations where one party holds a stronger bargaining position, there is a potential risk of this party leveraging their position to the detriment of the other party during negotiations involving the supply of tools, services, components, or processes used or integrated in a high-risk AI system, or the remedies for the breach or termination of related obligations. This imbalance in contractual power can particularly harm micro, small, and medium-sized enterprises, as well as start-ups, unless they are owned or subcontracted by an enterprise capable of adequately compensating the subcontractor. These smaller entities often lack the ability to negotiate the conditions of the contractual agreement effectively and may be left with no choice but to accept ‘take-it-or-leave-it’ contractual terms. Therefore, any unfair contract terms related to the supply of tools, services, components, or processes used or integrated in a high-risk AI system, or the remedies for the breach or termination of related obligations, should not be binding on such micro, small, or medium-sized enterprises and start-ups if they have been unilaterally imposed.
Recital (60b) (new)(60b) Rules on contractual terms should take into account the principle of contractual freedom as an essential concept in business-to-business relationships. Therefore, not all contractual terms should be subject to an unfairness test, but only to those terms that are unilaterally imposed on micro, small and medium-sized enterprises and start-ups. This concerns ‘take-it-or-leave-it’ situations where one party supplies a certain contractual term and the micro, small or medium-sized enterprise and start-up cannot influence the content of that term despite an attempt to negotiate it. A contractual term that is simply provided by one party and accepted by the micro, small, medium-sized enterprise or a start-up or a term that is negotiated and subsequently agreed in an amended way between contracting parties should not be considered as unilaterally imposed.In accordance with the principle of contractual freedom, which is fundamental in business-to-business relationships, not all contractual terms should be subject to an unfairness test. This test should only apply to terms that are unilaterally imposed on micro, small and medium-sized enterprises and start-ups. This specifically pertains to ‘take-it-or-leave-it’ situations where one party provides a certain contractual term and the micro, small or medium-sized enterprise and start-up are unable to influence the content of that term despite attempts to negotiate. A contractual term that is merely provided by one party and accepted by the micro, small, medium-sized enterprise or a start-up, or a term that is negotiated and subsequently agreed upon in an amended form between contracting parties, should not be considered as unilaterally imposed.
Recital (60c) (new)(60c) Furthermore, the rules on unfair contractual terms should only apply to those elements of a contract that are related to supply of tools, services, components or processes that are used or integrated in a high risk AI system or the remedies for the breach or the termination of related obligations. Other parts of the same contract, unrelated to these elements, should not be subject to the unfairness test laid down in this Regulation.The rules on unfair contractual terms should only apply to those elements of a contract that are related to the supply of tools, services, components or processes that are used or integrated in a high risk AI system, or the remedies for the breach or the termination of related obligations. Other parts of the same contract, unrelated to these elements, should not be subject to the unfairness test laid down in this Regulation.
Recital (60d) (new)(60d) Criteria to identify unfair contractual terms should be applied only to excessive contractual terms, where a stronger bargaining position is abused. The vast majority of contractual terms that are commercially more favourable to one party than to the other, including those that are normal in business-to-business contracts, are a normal expression of the principle of contractual freedom and continue to apply. If a contractual term is not included in the list of terms that are always considered unfair, the general unfairness provision applies. In this regard, the terms listed as unfair terms should serve as a yardstick to interpret the general unfairness provision.Criteria for identifying unfair contractual terms should be applied solely to excessive terms where there is an abuse of a stronger bargaining position. The majority of contractual terms that are commercially more favorable to one party, including those common in business-to-business contracts, are a standard expression of contractual freedom and should continue to be applicable. If a contractual term is not included in the list of terms that are always considered unfair, the general unfairness provision should be applied. The terms listed as unfair should serve as a benchmark for interpreting the general unfairness provision.
Recital (60e) (new)(60e) Foundation models are a recent development, in which AI models are developed from algorithms designed to optimize for generality and versatility of output. Those models are often trained on a broad range of data sources and large amounts of data to accomplish a wide range of downstream tasks, including some for which they were not specifically developed and trained. The foundation model can be unimodal or multimodal, trained through various methods such as supervised learning or reinforced learning. AI systems with specific intended purpose or general purpose AI systems can be an implementation of a foundation model, which means that each foundation model can be reused in countless downstream AI or general purpose AI systems. These models hold growing importance to many downstream applications and systems.Foundation models represent a recent advancement in AI, characterized by their design which optimizes for generality and versatility of output. These models are typically trained on a diverse range of data sources and large volumes of data, enabling them to perform a wide array of downstream tasks, including those they were not specifically developed and trained for. Foundation models can be either unimodal or multimodal and can be trained through various methods such as supervised learning or reinforced learning. They can be implemented in AI systems with a specific intended purpose or in general purpose AI systems. This implies that each foundation model can be reused in numerous downstream AI or general purpose AI systems. The growing importance of these models is evident in their increasing use in many downstream applications and systems.
Recital (60f) (new)(60f) In the case of foundation models provided as a service such as through API access, the cooperation with downstream providers should extend throughout the time during which that service is provided and supported, in order to enable appropriate risk mitigation, unless the provider of the foundation model transfers the training model as well as extensive and appropriate information on the datasets and the development process of the system or restricts the service, such as the API access, in such a way that the downstream provider is able to fully comply with this Regulation without further support from the original provider of the foundation model.In the instance of foundation models offered as a service, such as through API access, the collaboration with downstream providers should be maintained throughout the duration of the service provision and support. This is to facilitate appropriate risk mitigation, unless the original provider of the foundation model transfers the training model along with comprehensive and relevant information on the datasets and the system’s development process. Alternatively, the service, such as API access, can be limited in a manner that allows the downstream provider to fully comply with this Regulation without requiring additional support from the original provider of the foundation model.
Recital (60g)(60g) In light of the nature and complexity of the value chain for AI system, it is essential to clarify the role of actors contributing to the development of AI systems. There is significant uncertainty as to the way foundation models will evolve, both in terms of typology of models and in terms of self-governance. Therefore, it is essential to clarify the legal situation of providers of foundation models. Combined with their complexity and unexpected impact, the downstream AI provider’s lack of control over the foundation model’s development and the consequent power imbalance and in order to ensure a fair sharing of responsibilities along the AI value chain, such models should be subject to proportionate and more specific requirements and obligations under this Regulation, namely foundation models should assess and mitigate possible risks and harms through appropriate design, testing and analysis, should implement data governance measures, including assessment of biases, and should comply with technical design requirements to ensure appropriate levels of performance, predictability, interpretability, corrigibility, safety and cybersecurity and should comply with environmental standards. These obligations should be accompanied by standards. Also, foundation models should have information obligations and prepare all necessary technical documentation for potential downstream providers to be able to comply with their obligations under this Regulation. Generative foundation models should ensure transparency about the fact the content is generated by an AI system, not by humans. These specific requirements and obligations do not amount to considering foundation models as high risk AI systems, but should guarantee that the objectives of this Regulation to ensure a high level of protection of fundamental rights, health and safety, environment, democracy and rule of law are achieved. Pre-trained models developed for a narrower, less general, more limited set of applications that cannot be adapted for a wide range of tasks such as simple multi-purpose AI systems should not be considered foundation models for the purposes of this Regulation, because of their greater interpretability which makes their behaviour less unpredictable.Given the complexity and evolving nature of AI systems, it is crucial to define the roles of all actors involved in their development, particularly those providing foundation models. These models should be subject to specific and proportionate requirements under this Regulation due to their complexity, potential impact, and the downstream AI provider’s lack of control over their development.

These requirements should include risk assessment and mitigation through appropriate design, testing, and analysis. Foundation models should also implement data governance measures, including bias assessment, and comply with technical design requirements to ensure performance, predictability, interpretability, corrigibility, safety, cybersecurity, and environmental standards.

In addition, foundation models should have information obligations and prepare necessary technical documentation to assist downstream providers in complying with their obligations under this Regulation. Generative foundation models should also ensure transparency by clearly indicating that their content is AI-generated, not human-generated.

However, these specific requirements and obligations do not classify foundation models as high-risk AI systems. Instead, they aim to ensure that this Regulation’s objectives of protecting fundamental rights, health and safety, the environment, democracy, and the rule of law are met.

Pre-trained models developed for a narrower, less general, more limited set of applications that cannot be adapted for a wide range of tasks, such as simple multi-purpose AI systems, should not be considered foundation models under this Regulation due to their greater interpretability and predictability.
Recital (60h)(60h) Given the nature of foundation models, expertise in conformity assessment is lacking and third-party auditing methods are still under development . The sector itself is therefore developing new ways to assess fundamental models that fulfil in part the objective of auditing (such as model evaluation, red-teaming or machine learning verification and validation techniques). Those internal assessments for foundation models should be should be broadly applicable (e.g. independent of distribution channels, modality, development methods), to address risks specific to such models taking into account industry state-of-the-art practices and focus on developing sufficient technical understanding and control over the model, the management of reasonably foreseeable risks, and extensive analysis and testing of the model through appropriate measures, such as by the involvement of independent evaluators. As foundation models are a new and fast-evolving development in the field of artificial intelligence, it is appropriate for the Commission and the AI Office to monitor and periodically asses the legislative and governance framework of such models and in particular of generative AI systems based on such models, which raise significant questions related to the generation of content in breach of Union law, copyright rules, and potential misuse. It should be clarified that this Regulation should be without prejudice to Union law on copyright and related rights, including Directives 2001/29/EC, 2004/48/ECR and (EU) 2019/790 of the European Parliament and of the Council.Given the emerging nature of foundation models, there is a recognized lack of expertise in conformity assessment and third-party auditing methods are still under development. The sector is actively developing new ways to assess these models, including model evaluation, red-teaming, and machine learning verification and validation techniques. These internal assessments should be broadly applicable, addressing risks specific to such models and taking into account industry state-of-the-art practices. The focus should be on developing sufficient technical understanding and control over the model, managing reasonably foreseeable risks, and conducting extensive analysis and testing through appropriate measures, such as the involvement of independent evaluators.

As foundation models represent a new and rapidly evolving aspect of artificial intelligence, it is deemed appropriate for the Commission and the AI Office to monitor and periodically assess the legislative and governance framework of such models. This is particularly relevant for generative AI systems based on these models, which raise significant questions related to the generation of content in breach of Union law, copyright rules, and potential misuse.

It is important to clarify that this Regulation should be without prejudice to Union law on copyright and related rights, including Directives 2001/29/EC, 2004/48/ECR and (EU) 2019/790 of the European Parliament and of the Council.
Recital (61)(61) Standardisation should play a key role to provide technical solutions to providers to ensure compliance with this Regulation. Compliance with harmonised standards as defined in Regulation (EU) No 1025/2012 of the European Parliament and of the Council54 should be a means for providers to demonstrate conformity with the requirements of this Regulation. However, the Commission could adopt common technical specifications in areas where no harmonised standards exist or where they are insufficient.


54. Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).		(61) Standardisation should play a key role to provide technical solutions to providers to ensure compliance with this Regulation. Compliance with harmonised standards as defined in Regulation (EU) No 1025/2012 of the European Parliament and of the Council54 should be a means for providers to demonstrate conformity with the requirements of this Regulation. To ensure the effectiveness of standards as policy tool for the Union and considering the importance of standards for ensuring conformity with the requirements of this Regulation and for the competitiveness of undertakings, it is necessary to ensure a balanced representation of interests by involving all relevant stakeholders in the development of standards. The standardisation process should be transparent in terms of legal and natural persons participating in the standardisation activities.


54. Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).		(61) Standardisation should play a key role to provide technical solutions to providers to ensure  compliance with this Regulation, in line with the state of the art. Compliance with  harmonised standards as defined in Regulation (EU) No 1025/2012 of the European  Parliament and of the Council25, which are normally expected to reflect the state of the  art,should be a means for providers to demonstrate conformity with the requirements of this  Regulation. However, in the absence of relevant references to harmonised standards, the  Commission should be able to establish, via implementing acts, common specifications for  certain requirements under this Regulation as an exceptional fall back solution to facilitate  the provider’s obligation to comply with the requirements of this Regulation, when the  standardisation process is blocked or when there are delays in the establishment of an  appropriate harmonised standard. If such delay is due to the technical complexity of the  standard in question, this should be considered by the Commission before contemplating the  establishment of common specifications. An appropriate involvement of small and medium  enterprises in the elaboration of standards supporting the implementation of this Regulation  is essential to promote innovation and competitiveness in the field of artificial intelligence  within the Union. Such involvement should be appropriately ensured in accordance with  Article 5 and 6 of Regulation 1025/2012.


25. Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).		(61) Standardisation should play a key role to provide technical solutions to providers to ensure compliance with this Regulation, in line with the state of the art. Compliance with harmonised standards as defined in Regulation (EU) No 1025/2012 of the European Parliament and of the Council should be a means for providers to demonstrate conformity with the requirements of this Regulation. However, in the absence of relevant references to harmonised standards, the Commission could adopt common technical specifications as an exceptional fall back solution to facilitate the provider’s obligation to comply with the requirements of this Regulation, when the standardisation process is blocked or when there are delays in the establishment of an appropriate harmonised standard. If such delay is due to the technical complexity of the standard in question, this should be considered by the Commission before contemplating the establishment of common specifications. To ensure the effectiveness of standards as a policy tool for the Union and considering the importance of standards for ensuring conformity with the requirements of this Regulation and for the competitiveness of undertakings, it is necessary to ensure a balanced representation of interests by involving all relevant stakeholders in the development of standards. The standardisation process should be transparent in terms of legal and natural persons participating in the standardisation activities. An appropriate involvement of small and medium enterprises in the elaboration of standards supporting the implementation of this Regulation is essential to promote innovation and competitiveness in the field of artificial intelligence within the Union. Such involvement should be appropriately ensured in accordance with Article 5 and 6 of Regulation 1025/2012.
Recital (61a) (new) [C](61a) It is appropriate that, without prejudice to the use of harmonised standards and common  specifications, providers benefit from a presumption of conformity with the relevant  requirement on data when their high-risk AI system has been trained and tested on data  reflecting the specific geographical, behavioural or functional setting within which the AI  system is intended to be used. Similarly, in line with Article 54(3) of Regulation (EU)  2019/881 of the European Parliament and of the Council, high-risk AI systems that have  been certified or for which a statement of conformity has been issued under a cybersecurity  scheme pursuant to that Regulation and the references of which have been published in the  Official Journal of the European Union should be presumed to be in compliance with the  cybersecurity requirement of this Regulation. This remains without prejudice to the  voluntary nature of that cybersecurity scheme. It is proposed that, without undermining the use of harmonised standards and common specifications, providers should be presumed to be in compliance with the relevant data requirement when their high-risk AI system has been trained and tested on data reflecting the specific geographical, behavioural or functional setting within which the AI system is intended to be used. Furthermore, high-risk AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council, and the references of which have been published in the Official Journal of the European Union, should be presumed to be in compliance with the cybersecurity requirement of this Regulation. This proposal acknowledges the voluntary nature of the cybersecurity scheme.
Recital (61a) (new) [P](61a) In order to facilitate compliance, the first standardisation requests should be issued by the Commission two months after the entry into force of this Regulation at the latest. This should serve to improve legal certainty, thereby promoting investment and innovation in AI, as well as competitiveness and growth of the Union market, while enhancing multistakeholder governance representing all relevant European stakeholders such as the AI Office, European standardisation organisations and bodies or experts groups established under relevant sectorial Union law as well as industry, SMEs, start-ups, civil society, researchers and social partners, and should ultimately facilitate global cooperation on standardisation in the field of AI in a manner consistent with Union values. When preparing the standardisation request, the Commission should consult the AI Office and the AI advisory Forum in order to collect relevant expertise.In order to ensure compliance and improve legal certainty, the first standardisation requests should be issued by the Commission no later than two months after the entry into force of this Regulation. This measure is expected to promote investment and innovation in AI, enhance the competitiveness and growth of the Union market, and strengthen multistakeholder governance. This governance should represent all relevant European stakeholders, including the AI Office, European standardisation organisations and bodies, expert groups established under relevant sectorial Union law, industry, SMEs, start-ups, civil society, researchers, and social partners. This approach should also facilitate global cooperation on standardisation in the field of AI in a manner consistent with Union values. In the preparation of the standardisation request, the Commission should consult with the AI Office and the AI advisory Forum to gather relevant expertise.
Recital (61b) (new)(61b) When AI systems are intended to be used at the workplace, harmonised standards should be limited to technical specifications and procedures.For AI systems intended for use in the workplace, harmonised standards should be confined to technical specifications and procedures.
Recital (61c) (new)(61c) The Commission should be able to adopt common specifications under certain conditions, when no relevant harmonised standard exists or to address specific fundamental rights concerns. Through the whole drafting process, the Commission should regularly consult the AI Office and its advisory forum, the European standardisation organisations and bodies or expert groups established under relevant sectorial Union law as well as relevant stakeholders, such as industry, SMEs, start-ups, civil society, researchers and social partners.The Commission should have the authority to adopt common specifications under certain conditions, particularly when no relevant harmonised standard exists or to address specific fundamental rights concerns. Throughout the entire drafting process, the Commission should consistently consult with the AI Office and its advisory forum. Additionally, the Commission should engage with the European standardisation organisations and bodies or expert groups established under relevant sectorial Union law. It is also crucial for the Commission to involve relevant stakeholders, such as industry, SMEs, start-ups, civil society, researchers and social partners in the consultation process.
Recital (61d) (new)(61d) When adopting common specifications, the Commission should strive for regulatory alignment of AI with likeminded global partners, which is key to fostering innovation and cross-border partnerships within the field of AI, as coordination with likeminded partners in international standardisation bodies is of great importance.In the adoption of common specifications, it is crucial that the Commission seeks regulatory alignment of AI with likeminded global partners. This alignment is instrumental in promoting innovation and fostering cross-border partnerships within the field of AI. Furthermore, coordination with these likeminded partners in international standardisation bodies holds significant importance.
Recital (62)(62) In order to ensure a high level of trustworthiness of high-risk AI systems, those systems should be subject to a conformity assessment prior to their placing on the market or putting into service.(62) In order to ensure a high level of trustworthiness of high-risk AI systems, those systems should be subject to a conformity assessment prior to their placing on the market or putting into service. To increase the trust in the value chain and to give certainty to businesses about the performance of their systems, third-parties that supply AI components may voluntarily apply for a third-party conformity assessment.(62) In order to ensure a high level of trustworthiness of high-risk AI systems, those systems  should be subject to a conformity assessment prior to their placing on the market or putting  into service.(62) In order to ensure a high level of trustworthiness of high-risk AI systems, those systems should be subject to a conformity assessment prior to their placing on the market or putting into service. To increase the trust in the value chain and to give certainty to businesses about the performance of their systems, third-parties that supply AI components may voluntarily apply for a third-party conformity assessment.
Recital (63)(63) It is appropriate that, in order to minimise the burden on operators and avoid any possible duplication, for high-risk AI systems related to products which are covered by existing Union harmonisation legislation following the New Legislative Framework approach, the compliance of those AI systems with the requirements of this Regulation should be assessed as part of the conformity assessment already foreseen under that legislation. The applicability of the requirements of this Regulation should thus not affect the specific logic, methodology or general structure of conformity assessment under the relevant specific New Legislative Framework legislation. This approach is fully reflected in the interplay between this Regulation and the [Machinery Regulation]. While safety risks of AI systems ensuring safety functions in machinery are addressed by the requirements of this Regulation, certain specific requirements in the [Machinery Regulation] will ensure the safe integration of the AI system into the overall machinery, so as not to compromise the safety of the machinery as a whole. The [Machinery Regulation] applies the same definition of AI system as this Regulation.(63) It is appropriate that, in order to minimise the burden on operators and avoid any possible duplication, for high-risk AI systems related to products which are covered by existing Union harmonisation legislation following the New Legislative Framework approach, the compliance of those AI systems with the requirements of this Regulation should be assessed as part of the conformity assessment already foreseen under that legislation. The applicability of the requirements of this Regulation should thus not affect the specific logic, methodology or general structure of conformity assessment under the relevant specific New Legislative Framework legislation. This approach is fully reflected in the interplay between this Regulation and the [Machinery Regulation]. While safety risks of AI systems ensuring safety functions in machinery are addressed by the requirements of this Regulation, certain specific requirements in the [Machinery Regulation] will ensure the safe integration of the AI system into the overall machinery, so as not to compromise the safety of the machinery as a whole. The [Machinery Regulation] applies the same definition of AI system as this Regulation.(63) It is appropriate that, in order to minimise the burden on operators and avoid any possible  duplication, for high-risk AI systems related to products which are covered by existing  Union harmonisation legislation following the New Legislative Framework approach, the  compliance of those AI systems with the requirements of this Regulation should be assessed  as part of the conformity assessment already foreseen under that legislation. The  applicability of the requirements of this Regulation should thus not affect the specific logic,  methodology or general structure of conformity assessment under the relevant specific New  Legislative Framework legislation. This approach is fully reflected in the interplay between  this Regulation and the [Machinery Regulation]. While safety risks of AI systems ensuring  safety functions in machinery are addressed by the requirements of this Regulation, certain  specific requirements in the [Machinery Regulation] will ensure the safe integration of the  AI system into the overall machinery, so as not to compromise the safety of the machinery  as a whole. The [Machinery Regulation] applies the same definition of AI system as this  Regulation. With regard to high-risk AI systems related to products covered by Regulations  745/2017 and 746/2017 on medical devices, the applicability of the requirements of this  Regulation should be without prejudice and take into account the risk management logic and  benefit-risk assessment performed under the medical device framework.(63) It is appropriate that, in order to minimise the burden on operators and avoid any possible duplication, for high-risk AI systems related to products which are covered by existing Union harmonisation legislation following the New Legislative Framework approach, the compliance of those AI systems with the requirements of this Regulation should be assessed as part of the conformity assessment already foreseen under that legislation. The applicability of the requirements of this Regulation should thus not affect the specific logic, methodology or general structure of conformity assessment under the relevant specific New Legislative Framework legislation. This approach is fully reflected in the interplay between this Regulation and the [Machinery Regulation]. While safety risks of AI systems ensuring safety functions in machinery are addressed by the requirements of this Regulation, certain specific requirements in the [Machinery Regulation] will ensure the safe integration of the AI system into the overall machinery, so as not to compromise the safety of the machinery as a whole. The [Machinery Regulation] applies the same definition of AI system as this Regulation. With regard to high-risk AI systems related to products covered by Regulations 745/2017 and 746/2017 on medical devices, the applicability of the requirements of this Regulation should be without prejudice and take into account the risk management logic and benefit-risk assessment performed under the medical device framework.
Recital (64)(64) Given the more extensive experience of professional pre-market certifiers in the field of product safety and the different nature of risks involved, it is appropriate to limit, at least in an initial phase of application of this Regulation, the scope of application of third-party conformity assessment for high-risk AI systems other than those related to products. Therefore, the conformity assessment of such systems should be carried out as a general rule by the provider under its own responsibility, with the only exception of AI systems intended to be used for the remote biometric identification of persons, for which the involvement of a notified body in the conformity assessment should be foreseen, to the extent they are not prohibited.(64) Given the complexity of high-risk AI systems and the risks that are associated to them, it is essential to develop a more adequate capacity for the application of third party conformity assessment for high-risk AI systems. However, given the current experience of professional pre-market certifiers in the field of product safety and the different nature of risks involved, it is appropriate to limit, at least in an initial phase of application of this Regulation, the scope of application of third-party conformity assessment for high-risk AI systems other than those related to products. Therefore, the conformity assessment of such systems should be carried out as a general rule by the provider under its own responsibility, with the only exception of AI systems intended to be used for the remote biometric identification of persons, or AI systems intended to be used to make inferences about personal characteristics of natural persons on the basis of biometric or biometrics-based data, including emotion recognition systems for which the involvement of a notified body in the conformity assessment should be foreseen, to the extent they are not prohibited.(64) Given the more extensive experience of professional pre-market certifiers in the field of  product safety and the different nature of risks involved, it is appropriate to limit, at least in  an initial phase of application of this Regulation, the scope of application of third-party  conformity assessment for high-risk AI systems other than those related to products.  Therefore, the conformity assessment of such systems should be carried out as a general rule  by the provider under its own responsibility, with the only exception of AI systems intended  to be used for the remote biometric identification of persons, for which the involvement of a  notified body in the conformity assessment should be foreseen, to the extent they are not  prohibited.(64) Given the complexity of high-risk AI systems and the risks associated with them, it is essential to develop a more adequate capacity for the application of third-party conformity assessment for high-risk AI systems. However, considering the more extensive experience of professional pre-market certifiers in the field of product safety and the different nature of risks involved, it is appropriate to limit, at least in an initial phase of application of this Regulation, the scope of application of third-party conformity assessment for high-risk AI systems other than those related to products. Therefore, the conformity assessment of such systems should be carried out as a general rule by the provider under its own responsibility. The only exceptions are AI systems intended to be used for the remote biometric identification of persons, or AI systems intended to be used to make inferences about personal characteristics of natural persons on the basis of biometric or biometrics-based data, including emotion recognition systems. For these systems, the involvement of a notified body in the conformity assessment should be foreseen, to the extent they are not prohibited.
Recital (65)(65) In order to carry out third-party conformity assessment for AI systems intended to be used for the remote biometric identification of persons, notified bodies should be designated under this Regulation by the national competent authorities, provided they are compliant with a set of requirements, notably on independence, competence and absence of conflicts of interests.(65) In order to carry out third-party conformity assessments when so required, notified bodies should be designated under this Regulation by the national competent authorities, provided they are compliant with a set of requirements, notably on independence, competence, absence of conflicts of interests and minimum cybersecurity requirements. Member States should encourage the designation of a sufficient number of conformity assessment bodies, in order to make the certification feasible in a timely manner. The procedures of assessment, designation, notification and monitoring of conformity assessment bodies should be implemented as uniformly as possible in Member States, with a view to removing administrative border barriers and ensuring that the potential of the internal market is realised.(65) In order to carry out third-party conformity assessment for AI systems intended to be used  for the remote biometric identification of persons, notified bodies should be notified under  this Regulation by the national competent authorities, provided they are compliant with a set  of requirements, notably on independence, competence and absence of conflicts of interests.  Notification of those bodies should be sent by national competent authorities to the  Commission and the other Member States by means of the electronic notification tool  developed and managed by the Commission pursuant to Article R23 of Decision 768/2008. (65) In order to carry out third-party conformity assessments for AI systems intended to be used for the remote biometric identification of persons, notified bodies should be designated under this Regulation by the national competent authorities, provided they are compliant with a set of requirements, notably on independence, competence, absence of conflicts of interests and minimum cybersecurity requirements. Notification of these bodies should be sent by national competent authorities to the Commission and the other Member States by means of the electronic notification tool developed and managed by the Commission pursuant to Article R23 of Decision 768/2008. Member States should encourage the designation of a sufficient number of conformity assessment bodies, in order to make the certification feasible in a timely manner. The procedures of assessment, designation, notification and monitoring of conformity assessment bodies should be implemented as uniformly as possible in Member States, with a view to removing administrative border barriers and ensuring that the potential of the internal market is realised.
Recital (65a) (new)(65a) In line with Union commitments under the World Trade Organization Agreement on Technical Barriers to Trade, it is adequate to maximise the acceptance of test results produced by competent conformity assessment bodies, independent of the territory in which they are established, where necessary to demonstrate conformity with the applicable requirements of the Regulation. The Commission should actively explore possible international instruments for that purpose and in particular pursue the possible establishment of mutual recognition agreements with countries which are on a comparable level of technical development, and have compatible approach concerning AI and conformity assessment.In accordance with the Union’s commitments under the World Trade Organization Agreement on Technical Barriers to Trade, it is crucial to maximize the acceptance of test results produced by competent conformity assessment bodies, regardless of their geographical location, in order to demonstrate conformity with the applicable requirements of the Regulation. The Commission is encouraged to actively investigate potential international instruments for this purpose. Specifically, the Commission should consider the establishment of mutual recognition agreements with countries that have a similar level of technical development and a compatible approach to AI and conformity assessment.
Recital (66)(66) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, it is appropriate that an AI system undergoes a new conformity assessment whenever a change occurs which may affect the compliance of the system with this Regulation or when the intended purpose of the system changes. In addition, as regards AI systems which continue to ‘learn’ after being placed on the market or put into service (i.e. they automatically adapt how functions are carried out), it is necessary to provide rules establishing that changes to the algorithm and its performance that have been pre-determined by the provider and assessed at the moment of the conformity assessment should not constitute a substantial modification.(66) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, it is appropriate that an high-risk AI system undergoes a new conformity assessment whenever an unplanned change occurs which goes beyond controlled or predetermined changes by the provider including continuous learning and which may create a new unacceptable risk and significantly affect the compliance of the high-risk AI system with this Regulation or when the intended purpose of the system changes. In addition, as regards AI systems which continue to ‘learn’ after being placed on the market or put into service (i.e. they automatically adapt how functions are carried out), it is necessary to provide rules establishing that changes to the algorithm and its performance that have been pre-determined by the provider and assessed at the moment of the conformity assessment should not constitute a substantial modification. The same should apply to updates of the AI system for security reasons in general and to protect against evolving threats of manipulation of the system, provided that they do not amount to a substantial modification(66) In line with the commonly established notion of substantial modification for products  regulated by Union harmonisation legislation, it is appropriate that whenever a change  occurs which may affect the compliance of a high risk AI system with this Regulation (e.g.  change of operating system or software architecture), or when the intended purpose of the  system changes, that AI system should be considered a new AI system which should  undergo a new conformity assessment. However, changes occuring to the algorithm and the  performance of AI systems which continue to ‘learn’ after being placed on the market or put  into service (i.e. automatically adapting how functions are carried out) should not constitute  a substantial modification, provided that those changes have been pre-determined by the  provider and assessed at the moment of the conformity assessment. (66) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, it is appropriate that a high-risk AI system undergoes a new conformity assessment whenever a change occurs which may affect the compliance of the system with this Regulation or when the intended purpose of the system changes. This includes unplanned changes that go beyond controlled or predetermined changes by the provider, including continuous learning, which may create a new unacceptable risk. However, changes to the algorithm and its performance that have been pre-determined by the provider and assessed at the moment of the conformity assessment should not constitute a substantial modification. This also applies to updates of the AI system for security reasons in general and to protect against evolving threats of manipulation of the system, provided that they do not amount to a substantial modification. In the event of a change of operating system or software architecture, the AI system should be considered a new AI system and should undergo a new conformity assessment.
Recital (67)(67) High-risk AI systems should bear the CE marking to indicate their conformity with this Regulation so that they can move freely within the internal market. Member States should not create unjustified obstacles to the placing on the market or putting into service of high-risk AI systems that comply with the requirements laid down in this Regulation and bear the CE marking.(67) High-risk AI systems should bear the CE marking to indicate their conformity with this Regulation so that they can move freely within the internal market. For physical high-risk AI systems, a physical CE marking should be affixed, and may be complemented by a digital CE marking. For digital only high-risk AI systems, a digital CE marking should be used. Member States should not create unjustified obstacles to the placing on the market or putting into service of high-risk AI systems that comply with the requirements laid down in this Regulation and bear the CE marking.(67) High-risk AI systems should bear the CE marking to indicate their conformity with this  Regulation so that they can move freely within the internal market. Member States should  not create unjustified obstacles to the placing on the market or putting into service of high risk AI systems that comply with the requirements laid down in this Regulation and bear the  CE marking.(67) High-risk AI systems should bear the CE marking to indicate their conformity with this Regulation so that they can move freely within the internal market. For physical high-risk AI systems, a physical CE marking should be affixed, and may be complemented by a digital CE marking. For digital only high-risk AI systems, a digital CE marking should be used. Member States should not create unjustified obstacles to the placing on the market or putting into service of high-risk AI systems that comply with the requirements laid down in this Regulation and bear the CE marking.
Recital (68)(68) Under certain conditions, rapid availability of innovative technologies may be crucial for health and safety of persons and for society as a whole. It is thus appropriate that under exceptional reasons of public security or protection of life and health of natural persons and the protection of industrial and commercial property, Member States could authorise the placing on the market or putting into service of AI systems which have not undergone a conformity assessment(68) Under certain conditions, rapid availability of innovative technologies may be crucial for  health and safety of persons and for society as a whole. It is thus appropriate that under  exceptional reasons of public security or protection of life and health of natural persons and  the protection of industrial and commercial property, Member States could authorise the  placing on the market or putting into service of AI systems which have not undergone a  conformity assessment.(68) Under certain conditions, rapid availability of innovative technologies may be crucial for  health and safety of persons and for society as a whole. It is thus appropriate that under  exceptional reasons of public security or protection of life and health of natural persons and  the protection of industrial and commercial property, Member States could authorise the  placing on the market or putting into service of AI systems which have not undergone a  conformity assessment.(68) Under certain conditions, rapid availability of innovative technologies may be crucial for health and safety of persons and for society as a whole. It is thus appropriate that under exceptional reasons of public security or protection of life and health of natural persons and the protection of industrial and commercial property, Member States could authorise the placing on the market or putting into service of AI systems which have not undergone a conformity assessment.
Recital (69)(69) In order to facilitate the work of the Commission and the Member States in the artificial intelligence field as well as to increase the transparency towards the public, providers of high-risk AI systems other than those related to products falling within the scope of relevant existing Union harmonisation legislation, should be required to register their high-risk AI system in a EU database, to be established and managed by the Commission. The Commission should be the controller of that database, in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council55. In order to ensure the full functionality of the database, when deployed, the procedure for setting the database should include the elaboration of functional specifications by the Commission and an independent audit report.


55. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).		(69) In order to facilitate the work of the Commission and the Member States in the artificial intelligence field as well as to increase the transparency towards the public, providers of high-risk AI systems other than those related to products falling within the scope of relevant existing Union harmonisation legislation, should be required to register their high-risk AI system and foundation models in a EU database, to be established and managed by the Commission. This database should be freely and publicly accessible, easily understandable and machine-readable. The database should also be user-friendly and easily navigable, with search functionalities at minimum allowing the general public to search the database for specific high-risk systems, locations, categories of risk under Annex IV and keywords. Deployers who are public authorities or Union institutions, bodies, offices and agencies or deployers acting on their behalf and deployers who are undertakings designated as a gatekeeper under Regulation (EU)2022/1925 should also register in the EU database before putting into service or using a high-risk AI system for the first time and following each substantial modification. Other deployers should be entitled to do so voluntarily. Any substantial modification of high-risk AI systems shall also be registered in the EU database. The Commission should be the controller of that database, in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council55. In order to ensure the full functionality of the database, when deployed, the procedure for setting the database should include the elaboration of functional specifications by the Commission and an independent audit report. The Commission should take into account cybersecurity and hazard-related risks when carrying out its tasks as data controller on the EU database. In order to maximise the availability and use of the database by the public, the database, including the information made available through it, should comply with requirements under the Directive 2019/882.


55. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).		(69) In order to facilitate the work of the Commission and the Member States in the artificial  intelligence field as well as to increase the transparency towards the public, providers of  high-risk AI systems other than those related to products falling within the scope of relevant  existing Union harmonisation legislation, should be required to register themselves and  information about their high-risk AI system in a EU database, to be established and managed  by the Commission. Before using a high-risk AI system listed in Annex III, users of high risk AI systems that are public authorities, agencies or bodies, with the exception of law  enforcement, border control, immigration or asylum authorities, and authorities that are  users of high-risk AI systems in the area of critical infrastructure shall also register  themselves in such database and select the system that they envisage to use. The  Commission should be the controller of that database, in accordance with Regulation (EU)  2018/1725 of the European Parliament and of the Council26. In order to ensure the full  functionality of the database, when deployed, the procedure for setting the database should  include the elaboration of functional specifications by the Commission and an independent  audit report. 

–––––
26. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).		(69) In order to facilitate the work of the Commission and the Member States in the artificial intelligence field as well as to increase the transparency towards the public, providers of high-risk AI systems other than those related to products falling within the scope of relevant existing Union harmonisation legislation, should be required to register themselves, their high-risk AI system and foundation models in a EU database, to be established and managed by the Commission. This database should be freely and publicly accessible, easily understandable, machine-readable, user-friendly and easily navigable, with search functionalities at minimum allowing the general public to search the database for specific high-risk systems, locations, categories of risk under Annex IV and keywords.

Before using a high-risk AI system listed in Annex III, users of high-risk AI systems that are public authorities, agencies or bodies, with the exception of law enforcement, border control, immigration or asylum authorities, and authorities that are users of high-risk AI systems in the area of critical infrastructure shall also register themselves in such database and select the system that they envisage to use. Deployers who are public authorities or Union institutions, bodies, offices and agencies or deployers acting on their behalf and deployers who are undertakings designated as a gatekeeper under Regulation (EU)2022/1925 should also register in the EU database before putting into service or using a high-risk AI system for the first time and following each substantial modification. Other deployers should be entitled to do so voluntarily. Any substantial modification of high-risk AI systems shall also be registered in the EU database.

The Commission should be the controller of that database, in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council. In order to ensure the full functionality of the database, when deployed, the procedure for setting the database should include the elaboration of functional specifications by the Commission and an independent audit report. The Commission should take into account cybersecurity and hazard-related risks when carrying out its tasks as data controller on the EU database. In order to maximise the availability and use of the database by the public, the database, including the information made available through it, should comply with requirements under the Directive 2019/882.
Recital (70)(70) Certain AI systems intended to interact with natural persons or to generate content may pose specific risks of impersonation or deception irrespective of whether they qualify as high-risk or not. In certain circumstances, the use of these systems should therefore be subject to specific transparency obligations without prejudice to the requirements and obligations for high-risk AI systems. In particular, natural persons should be notified that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use. Moreover, natural persons should be notified when they are exposed to an emotion recognition system or a biometric categorisation system. Such information and notifications should be provided in accessible formats for persons with disabilities. Further, users, who use an AI system to generate or manipulate image, audio or video content that appreciably resembles existing persons, places or events and would falsely appear to a person to be authentic, should disclose that the content has been artificially created or manipulated by labelling the artificial intelligence output accordingly and disclosing its artificial origin.(70) Certain AI systems intended to interact with natural persons or to generate content may pose specific risks of impersonation or deception irrespective of whether they qualify as high-risk or not. In certain circumstances, the use of these systems should therefore be subject to specific transparency obligations without prejudice to the requirements and obligations for high-risk AI systems. In particular, natural persons should be notified that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use. Moreover, natural persons should be notified when they are exposed to an emotion recognition system or a biometric categorisation system. Such information and notifications should be provided in accessible formats for persons with disabilities. Further, users, who use an AI system to generate or manipulate image, audio or video content that appreciably resembles existing persons, places or events and would falsely appear to a person to be authentic, should disclose that the content has been artificially created or manipulated by labelling the artificial intelligence output accordingly and disclosing its artificial origin.(70) Certain AI systems intended to interact with natural persons or to generate content may pose  specific risks of impersonation or deception irrespective of whether they qualify as high-risk  or not. In certain circumstances, the use of these systems should therefore be subject to  specific transparency obligations without prejudice to the requirements and obligations for  high-risk AI systems. In particular, natural persons should be notified that they are  interacting with an AI system, unless this is obvious from the point of view of a natural  person who is reasonably well-informed, observant and circumspect taking into account the  circumstances and the context of use. When implementing such obligation, the  characteristics of individuals belonging to vulnerable groups due to their age or disability  should be taken into account to the extent the AI system is intended to interact with those  groups as well. Moreover, natural persons should be notified when they are exposed to  systems that, by processing their biometric data, can identify or infer the emotions or  intentions of those persons or assign them to specific categories. Such specific categories  can relate to aspects such as sex, age, hair colour, eye colour, tatoos, personal traits, ethnic  origin, personal preferences and interests or to other aspects such as sexual or political  orientation. Such information and notifications should be provided in accessible formats for  persons with disabilities. Further, users, who use an AI system to generate or manipulate  image, audio or video content that appreciably resembles existing persons, places or events  and would falsely appear to a person to be authentic, should disclose that the content has  been artificially created or manipulated by labelling the artificial intelligence output  accordingly and disclosing its artificial origin. The compliance with the information  obligations referred to above should not be interpreted as indicating that the use of the  system or its output is lawful under this Regulation or other Union and Member State law and should be without prejudice to other transparency obligations for users of AI systems  laid down in Union or national law. Furthermore it should also not be interpreted as  indicating that the use of the system or its output impedes the right to freedom of expression  and the right to freedom of the arts and sciences guaranteed in the Charter of Funadamental  Rights of the EU, in particular where the content is part of an evidently creative, satirical,  artistic or fictional work or programme, subject to appropriate safeguards for the rights and  freedoms of third parties.(70) Certain AI systems intended to interact with natural persons or to generate content may pose specific risks of impersonation or deception irrespective of whether they qualify as high-risk or not. In certain circumstances, the use of these systems should therefore be subject to specific transparency obligations without prejudice to the requirements and obligations for high-risk AI systems. In particular, natural persons should be notified that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect taking into account the circumstances and the context of use. Moreover, natural persons should be notified when they are exposed to an emotion recognition system or a biometric categorisation system that, by processing their biometric data, can identify or infer the emotions or intentions of those persons or assign them to specific categories. Such specific categories can relate to aspects such as sex, age, hair colour, eye colour, tattoos, personal traits, ethnic origin, personal preferences and interests or to other aspects such as sexual or political orientation. Such information and notifications should be provided in accessible formats for persons with disabilities, taking into account the characteristics of individuals belonging to vulnerable groups due to their age or disability to the extent the AI system is intended to interact with those groups as well. Further, users, who use an AI system to generate or manipulate image, audio or video content that appreciably resembles existing persons, places or events and would falsely appear to a person to be authentic, should disclose that the content has been artificially created or manipulated by labelling the artificial intelligence output accordingly and disclosing its artificial origin. The compliance with the information obligations referred to above should not be interpreted as indicating that the use of the system or its output is lawful under this Regulation or other Union and Member State law and should be without prejudice to other transparency obligations for users of AI systems laid down in Union or national law. Furthermore, it should also not be interpreted as indicating that the use of the system or its output impedes the right to freedom of expression and the right to freedom of the arts and sciences guaranteed in the Charter of Fundamental Rights of the EU, in particular where the content is part of an evidently creative, satirical, artistic or fictional work or programme, subject to appropriate safeguards for the rights and freedoms of third parties.
Recital (71)(71) Artificial intelligence is a rapidly developing family of technologies that requires novel forms of regulatory oversight and a safe space for experimentation, while ensuring responsible innovation and integration of appropriate safeguards and risk mitigation measures. To ensure a legal framework that is innovation-friendly, future-proof and resilient to disruption, national competent authorities from one or more Member States should be encouraged to establish artificial intelligence regulatory sandboxes to facilitate the development and testing of innovative AI systems under strict regulatory oversight before these systems are placed on the market or otherwise put into service.(71) Artificial intelligence is a rapidly developing family of technologies that requires regulatory oversight and a safe and controlled space for experimentation, while ensuring responsible innovation and integration of appropriate safeguards and risk mitigation measures. To ensure a legal framework that promotes innovation, is future-proof, and resilient to disruption, Member States should establish at least one artificial intelligence regulatory sandbox to facilitate the development and testing of innovative AI systems under strict regulatory oversight before these systems are placed on the market or otherwise put into service. It is indeed desirable for the establishment of regulatory sandboxes, whose establishment is currently left at the discretion of Member States, as a next step to be made mandatory with established criteria. That mandatory sandbox could also be established jointly with one or several other Member States, as long as that sandbox would cover the respective national level of the involved Member States. Additional sandboxes may also be established at different levels, including cross Member States, in order to facilitate cross-border cooperation and synergies. With the exception of the mandatory sandbox at national level, Member States should also be able to establish virtual or hybrid sandboxes. All regulatory sandboxes should be able to accommodate both physical and virtual products. Establishing authorities should also ensure that the regulatory sandboxes have the adequate financial and human resources for their functioning.(71) Artificial intelligence is a rapidly developing family of technologies that requires novel  forms of regulatory oversight and a safe space for experimentation, while ensuring  responsible innovation and integration of appropriate safeguards and risk mitigation  measures. To ensure a legal framework that is innovation-friendly, future-proof and resilient  to disruption, national competent authorities from one or more Member States should be  encouraged to establish artificial intelligence regulatory sandboxes to facilitate the  development and testing of innovative AI systems under strict regulatory oversight before  these systems are placed on the market or otherwise put into service.(71) Artificial intelligence is a rapidly developing family of technologies that requires novel forms of regulatory oversight and a safe, controlled space for experimentation, while ensuring responsible innovation and integration of appropriate safeguards and risk mitigation measures. To ensure a legal framework that is innovation-friendly, future-proof, and resilient to disruption, national competent authorities from one or more Member States should be encouraged to establish at least one artificial intelligence regulatory sandbox. This would facilitate the development and testing of innovative AI systems under strict regulatory oversight before these systems are placed on the market or otherwise put into service. The establishment of regulatory sandboxes should be made mandatory with established criteria, and could be established jointly with one or several other Member States, as long as that sandbox would cover the respective national level of the involved Member States. Additional sandboxes may also be established at different levels, including cross Member States, to facilitate cross-border cooperation and synergies. With the exception of the mandatory sandbox at national level, Member States should also be able to establish virtual or hybrid sandboxes. All regulatory sandboxes should be able to accommodate both physical and virtual products. Establishing authorities should also ensure that the regulatory sandboxes have the adequate financial and human resources for their functioning.
Recital (72)(72) The objectives of the regulatory sandboxes should be to foster AI innovation by establishing a controlled experimentation and testing environment in the development and pre-marketing phase with a view to ensuring compliance of the innovative AI systems with this Regulation and other relevant Union and Member States legislation; to enhance legal certainty for innovators and the competent authorities’ oversight and understanding of the opportunities, emerging risks and the impacts of AI use, and to accelerate access to markets, including by removing barriers for small and medium enterprises (SMEs) and start-ups. To ensure uniform implementation across the Union and economies of scale, it is appropriate to establish common rules for the regulatory sandboxes’ implementation and a framework for cooperation between the relevant authorities involved in the supervision of the sandboxes. This Regulation should provide the legal basis for the use of personal data collected for other purposes for developing certain AI systems in the public interest within the AI regulatory sandbox, in line with Article 6(4) of Regulation (EU) 2016/679, and Article 6 of Regulation (EU) 2018/1725, and without prejudice to Article 4(2) of Directive (EU) 2016/680. Participants in the sandbox should ensure appropriate safeguards and cooperate with the competent authorities, including by following their guidance and acting expeditiously and in good faith to mitigate any high-risks to safety and fundamental rights that may arise during the development and experimentation in the sandbox. The conduct of the participants in the sandbox should be taken into account when competent authorities decide whether to impose an administrative fine under Article 83(2) of Regulation 2016/679 and Article 57 of Directive 2016/680.(72) The objectives of the regulatory sandboxes should be: for the establishing authorities to increase their understanding of technical developments, improve supervisory methods and provide guidance to AI systems developers and providers to achieve regulatory compliance with this Regulation or where relevant, other applicable Union and Member States legislation, as well as with the Charter of Fundamental Rights ; for the prospective providers to allow and facilitate the testing and development of innovative solutions related to AI systems in the pre-marketing phase to enhance legal certainty, to allow for more regulatory learning by establishing authorities in a controlled environment to develop better guidance and to identify possible future improvements of the legal framework through the ordinary legislative procedure. Any significant risks identified during the development and testing of such AI systems should result in immediate mitigation and, failing that, in the suspension of the development and testing process until such mitigation takes place. To ensure uniform implementation across the Union and economies of scale, it is appropriate to establish common rules for the regulatory sandboxes’ implementation and a framework for cooperation between the relevant authorities involved in the supervision of the sandboxes. Member States should ensure that regulatory sandboxes are widely available throughout the Union, while the participation should remain voluntary. It is especially important to ensure that SMEs and startups can easily access these sandboxes, are actively involved and participate in the development and testing of innovative AI systems, in order to be able to contribute with their knowhow and experience.(72) The objectives of the AI regulatory sandboxes should be to foster AI innovation by  establishing a controlled experimentation and testing environment in the development and  pre-marketing phase with a view to ensuring compliance of the innovative AI systems with  this Regulation and other relevant Union and Member States legislation; to enhance legal  certainty for innovators and the competent authorities’ oversight and understanding of the  opportunities, emerging risks and the impacts of AI use, and to accelerate access to markets,  including by removing barriers for small and medium enterprises (SMEs), including start ups. The participation in the AI regulatory sandbox should focus on issues that raise legal  uncertainty for providers and prospective providers to innovate, experiment with AI in the  Union and contribute to evidence-based regulatory learning. The supervision of the AI  systems in the AI regulatory sandbox should therefore cover their development, training,  testing and validation before the systems are placed on the market or put into service, as well  as the notion and occurrence of substantial modification that may require a new conformity  assessment procedure. Where appropriate, national competent authorities establishing AI  regulatory sandboxes should cooperate with other relevant authorities, including those  supervising the protection of fundamental rights, and could allow for the involvement of  other actors within the AI ecosystem such as national or European standardisation  organisations, notified bodies, testing and experimentation facilities, research and  experimentation labs, innovation hubs and relevant stakeholder and civil society  organisations. To ensure uniform implementation across the Union and economies of scale,  it is appropriate to establish common rules for the regulatory sandboxes’ implementation  and a framework for cooperation between the relevant authorities involved in the  supervision of the sandboxes. AI regulatory sandboxes established under this Regulation  should be without prejudice to other legislation allowing for the establishment of other  sandboxes aiming at ensuring compliance with legislation other that this Regulation. Where  appropriate, relevant competent authorities in charge of those other regulatory sandboxes  should consider the benefits of using those sandboxes also for the purpose of ensuring  compliance of AI systems with this Regulation. Upon agreement between the national  competent authorities and the participants in the AI regulatory sandbox, testing in real world  conditions may also be operated and supervised in the framework of the AI regulatory  sandbox.(72) The objectives of the AI regulatory sandboxes should be to foster AI innovation by establishing a controlled experimentation and testing environment in the development and pre-marketing phase with a view to ensuring compliance of the innovative AI systems with this Regulation and other relevant Union and Member States legislation. The sandboxes should enhance legal certainty for innovators and improve the competent authorities’ oversight and understanding of the technical developments, opportunities, emerging risks and the impacts of AI use. They should also accelerate access to markets, including by removing barriers for small and medium enterprises (SMEs) and start-ups. The participation in the AI regulatory sandbox should focus on issues that raise legal uncertainty for providers and prospective providers to innovate, experiment with AI in the Union and contribute to evidence-based regulatory learning. The supervision of the AI systems in the AI regulatory sandbox should cover their development, training, testing and validation before the systems are placed on the market or put into service. Any significant risks identified during the development and testing of such AI systems should result in immediate mitigation and, failing that, in the suspension of the development and testing process until such mitigation takes place. To ensure uniform implementation across the Union and economies of scale, it is appropriate to establish common rules for the regulatory sandboxes’ implementation and a framework for cooperation between the relevant authorities involved in the supervision of the sandboxes. Member States should ensure that regulatory sandboxes are widely available throughout the Union, while the participation should remain voluntary. It is especially important to ensure that SMEs and startups can easily access these sandboxes, are actively involved and participate in the development and testing of innovative AI systems, in order to be able to contribute with their knowhow and experience. AI regulatory sandboxes established under this Regulation should be without prejudice to other legislation allowing for the establishment of other sandboxes aiming at ensuring compliance with legislation other than this Regulation.
Recital (72a) [P] / (-72a) [C] (new)(72a) This Regulation should provide the legal basis for the use of personal data collected for other purposes for developing certain AI systems in the public interest within the AI regulatory sandbox only under specified conditions in line with Article 6(4) of Regulation (EU) 2016/679, and Article 6 of Regulation (EU) 2018/1725, and without prejudice to Article 4(2) of Directive (EU) 2016/680. Prospective providers in the sandbox should ensure appropriate safeguards and cooperate with the competent authorities, including by following their guidance and acting expeditiously and in good faith to mitigate any high-risks to safety, health and the environment and fundamental rights that may arise during the development and experimentation in the sandbox. The conduct of the prospective providers in the sandbox should be taken into account when competent authorities decide over the temporary or permanent suspension of their participation in the sandbox whether to impose an administrative fine under Article 83(2) of Regulation 2016/679 and Article 57 of Directive 2016/680.(-72a) This Regulation should provide the legal basis for the participants in the AI regulatory  sandbox to use personal data collected for other purposes for developing certain AI systems  in the public interest within the AI regulatory sandbox, in line with Article 6(4) and 9(2)(g)  of Regulation (EU) 2016/679, and Article 5 and 10 of Regulation (EU) 2018/1725, and  without prejudice to Articles 4(2) and 10 of Directive (EU) 2016/680. All other obligations  of data controllers and rights of data subjects under Regulation (EU) 2016/679, Regulation  (EU) 2018/1725 and Directive (EU) 2016/680 remain applicable. In particular, this  Regulation should not provide a legal basis in the meaning of Article 22(2)(b) of Regulation  (EU) 2016/679 and Article 24(2)(b) of Regulation (EU) 2018/1725. Participants in the  sandbox should ensure appropriate safeguards and cooperate with the competent authorities,  including by following their guidance and acting expeditiously and in good faith to mitigate  any high-risks to safety and fundamental rights that may arise during the development and  experimentation in the sandbox. The conduct of the participants in the sandbox should be  taken into account when competent authorities decide whether to impose an administrative  fine under Article 83(2) of Regulation 2016/679 and Article 57 of Directive 2016/680.This Regulation should provide the legal basis for the participants in the AI regulatory sandbox to use personal data collected for other purposes for developing certain AI systems in the public interest within the AI regulatory sandbox, in line with Article 6(4) and 9(2)(g) of Regulation (EU) 2016/679, and Article 5, 6 and 10 of Regulation (EU) 2018/1725, and without prejudice to Articles 4(2) and 10 of Directive (EU) 2016/680. All other obligations of data controllers and rights of data subjects under Regulation (EU) 2016/679, Regulation (EU) 2018/1725 and Directive (EU) 2016/680 remain applicable. This Regulation should not provide a legal basis in the meaning of Article 22(2)(b) of Regulation (EU) 2016/679 and Article 24(2)(b) of Regulation (EU) 2018/1725. Participants in the sandbox should ensure appropriate safeguards and cooperate with the competent authorities, including by following their guidance and acting expeditiously and in good faith to mitigate any high-risks to safety, health, the environment and fundamental rights that may arise during the development and experimentation in the sandbox. The conduct of the participants in the sandbox should be taken into account when competent authorities decide over the temporary or permanent suspension of their participation in the sandbox or whether to impose an administrative fine under Article 83(2) of Regulation 2016/679 and Article 57 of Directive 2016/680.
Recital (72a) (new) [C](72a) In order to accelerate the process of development and placing on the market of high-risk AI  systems listed in Annex III, it is important that providers or prospective providers of such  systems may also benefit from a specific regime for testing those systems in real world  conditions, without participating in an AI regulatory sandbox. However, in such cases and  taking into account the possible consequences of such testing on individuals, it should be  ensured that appropriate and sufficient guarantees and conditions are introduced by the  Regulation for providers or prospective providers. Such guarantees should include, among  others, requesting informed consent of natural persons to participate in testing in real world  conditions, with the exception of law enforcement in cases where the seeking of informed  consent would prevent the AI system from being tested. Consent of subjects to participate in  such testing under this Regulation is distinct from and without prejudice to consent of data  subjects for the processing of their personal data under the relevant data protection law.In order to expedite the development and market introduction of high-risk AI systems listed in Annex III, it is crucial that providers or potential providers of these systems have the opportunity to test these systems in real-world conditions, without the necessity of participating in an AI regulatory sandbox. However, considering the potential impact of such testing on individuals, the Regulation should introduce appropriate and sufficient guarantees and conditions for providers or potential providers. These guarantees should encompass, among others, the requirement for informed consent from natural persons to participate in real-world testing, with the exception of law enforcement situations where seeking informed consent could hinder the testing of the AI system. The consent for participation in such testing under this Regulation is separate from and does not prejudice the consent of data subjects for the processing of their personal data under the applicable data protection law.
Recital (72b) (new)(72b) To ensure that Artificial Intelligence leads to socially and environmentally beneficial outcomes, Member States should support and promote research and development of AI in support of socially and environmentally beneficial outcomes by allocating sufficient resources, including public and Union funding, and giving priority access to regulatory sandboxes to projects led by civil society. Such projects should be based on the principle of interdisciplinary cooperation between AI developers, experts on inequality and non-discrimination, accessibility, consumer, environmental, and digital rights, as well as academicsTo ensure the development of Artificial Intelligence (AI) that leads to socially and environmentally beneficial outcomes, it is proposed that Member States should actively support and promote research and development in this field. This can be achieved by allocating sufficient resources, including public and Union funding. Priority access to regulatory sandboxes should be given to projects led by civil society. These projects should be grounded on the principle of interdisciplinary cooperation. This cooperation should involve AI developers, experts on inequality and non-discrimination, accessibility, consumer, environmental, and digital rights, as well as academics.
Recital (73)(73) In order to promote and protect innovation, it is important that the interests of small-scale providers and users of AI systems are taken into particular account. To this objective, Member States should develop initiatives, which are targeted at those operators, including on awareness raising and information communication. Moreover, the specific interests and needs of small-scale providers shall be taken into account when Notified Bodies set conformity assessment fees. Translation costs related to mandatory documentation and communication with authorities may constitute a significant cost for providers and other operators, notably those of a smaller scale. Member States should possibly ensure that one of the languages determined and accepted by them for relevant providers’ documentation and for communication with operators is one which is broadly understood by the largest possible number of cross-border users.(73) In order to promote and protect innovation, it is important that the interests of small-scale providers and users of AI systems are taken into particular account. To this objective, Member States should develop initiatives, which are targeted at those operators, including on AI literacy, awareness raising and information communication. Member States shall utilise existing channels and where appropriate, establish new dedicated channels for communication with SMEs, start-ups, user and other innovators to provide guidance and respond to queries about the implementation of this Regulation. Such existing channels could include but are not limited to ENISA’s Computer Security Incident Response Teams, National Data Protection Agencies, the AI-on demand platform, the European Digital Innovation Hubs and other relevant instruments funded by EU programmes as well as the Testing and Experimentation Facilities established by the Commission and the Member States at national or Union level. Where appropriate, these channels shall work together to create synergies and ensure homogeneity in their guidance to start-ups, SMEs and users. Moreover, the specific interests and needs of small-scale providers shall be taken into account when Notified Bodies set conformity assessment fees. The Commission shall regularly assess the certification and compliance costs for SMEs and start-ups, including through transparent consultations with SMEs, start-ups and users and shall work with Member States to lower such costs. For example, translation costs related to mandatory documentation and communication with authorities may constitute a significant cost for providers and other operators, notably those of a smaller scale. Member States should possibly ensure that one of the languages determined and accepted by them for relevant providers’ documentation and for communication with operators is one which is broadly understood by the largest possible number of cross-border users. Medium-sized enterprises which recently changed from the small to medium-size category within the meaning of the Annex to Recommendation 2003/361/EC (Article 16) shall have access to these initiatives and guidance for a period of time deemed appropriate by the Member States, as these new medium-sized enterprises may sometimes lack the legal resources and training necessary to ensure proper understanding and compliance with provisions.(73) In order to promote and protect innovation, it is important that the interests of SME  providers and users of AI systems are taken into particular account. To this objective,  Member States should develop initiatives, which are targeted at those operators, including  on awareness raising and information communication. Moreover, the specific interests and  needs of SME providers shall be taken into account when notified bodies set conformity  assessment fees. Translation costs related to mandatory documentation and communication  with authorities may constitute a significant cost for providers and other operators, notably  those of a smaller scale. Member States should possibly ensure that one of the languages  determined and accepted by them for relevant providers’ documentation and for  communication with operators is one which is broadly understood by the largest possible  number of cross-border users.(73) In order to promote and protect innovation, it is crucial that the interests of small-scale providers, SMEs, and users of AI systems are taken into particular account. To this objective, Member States should develop initiatives, which are targeted at those operators, including on AI literacy, awareness raising, and information communication. Member States shall utilise existing channels and where appropriate, establish new dedicated channels for communication with SMEs, start-ups, user and other innovators to provide guidance and respond to queries about the implementation of this Regulation. Such existing channels could include but are not limited to ENISA’s Computer Security Incident Response Teams, National Data Protection Agencies, the AI-on demand platform, the European Digital Innovation Hubs and other relevant instruments funded by EU programmes as well as the Testing and Experimentation Facilities established by the Commission and the Member States at national or Union level. Where appropriate, these channels shall work together to create synergies and ensure homogeneity in their guidance to start-ups, SMEs and users. Moreover, the specific interests and needs of small-scale providers and SMEs shall be taken into account when Notified Bodies set conformity assessment fees. The Commission shall regularly assess the certification and compliance costs for SMEs and start-ups, including through transparent consultations with SMEs, start-ups and users and shall work with Member States to lower such costs. For example, translation costs related to mandatory documentation and communication with authorities may constitute a significant cost for providers and other operators, notably those of a smaller scale. Member States should possibly ensure that one of the languages determined and accepted by them for relevant providers’ documentation and for communication with operators is one which is broadly understood by the largest possible number of cross-border users. Medium-sized enterprises which recently changed from the small to medium-size category within the meaning of the Annex to Recommendation 2003/361/EC (Article 16) shall have access to these initiatives and guidance for a period of time deemed appropriate by the Member States, as these new medium-sized enterprises may sometimes lack the legal resources and training necessary to ensure proper understanding and compliance with provisions.
Recital (73a) (new)(73a) In order to promote and protect innovation, the AI-on demand platform, all relevant EU  funding programmes and projects, such as Digital Europe Programme, Horizon Europe,  implemented by the Commission and the Member States at national or EU level should  contribute to the achievement of the objectives of this Regulation.  To foster and safeguard innovation, it is proposed that the AI-on demand platform, along with all pertinent EU funding programmes and projects, including the Digital Europe Programme and Horizon Europe, implemented by the Commission and the Member States at both national and EU levels, should contribute towards the accomplishment of the objectives of this Regulation.
Recital (74)(74) In order to minimise the risks to implementation resulting from lack of knowledge and expertise in the market as well as to facilitate compliance of providers and notified bodies with their obligations under this Regulation, the AI-on demand platform, the European Digital Innovation Hubs and the Testing and Experimentation Facilities established by the Commission and the Member States at national or EU level should possibly contribute to the implementation of this Regulation. Within their respective mission and fields of competence, they may provide in particular technical and scientific support to providers and notified bodies.(74) In order to minimise the risks to implementation resulting from lack of knowledge and expertise in the market as well as to facilitate compliance of providers and notified bodies with their obligations under this Regulation, the AI-on demand platform, the European Digital Innovation Hubs and the Testing and Experimentation Facilities established by the Commission and the Member States at national or EU level should contribute to the implementation of this Regulation. Within their respective mission and fields of competence, they may provide in particular technical and scientific support to providers and notified bodies.(74) In particular, in order to minimise the risks to implementation resulting from lack of knowledge and expertise in the market as well as to facilitate compliance of providers, notably SMEs, and notified bodies with their obligations under this Regulation, the AI-on demand platform, the European Digital Innovation Hubs and the Testing and Experimentation Facilities established by the Commission and the Member States at national or EU level should possibly contribute to the implementation of this Regulation. Within their respective mission and fields of competence, they may provide in particular technical and scientific support to providers and notified bodies.

(74) In order to minimise the risks to implementation resulting from lack of knowledge and expertise in the market, particularly for SMEs, as well as to facilitate compliance of providers and notified bodies with their obligations under this Regulation, the AI-on demand platform, the European Digital Innovation Hubs and the Testing and Experimentation Facilities established by the Commission and the Member States at national or EU level should contribute to the implementation of this Regulation. Within their respective mission and fields of competence, they may provide in particular technical and scientific support to providers and notified bodies.
Recital (74a) (new)(74a) Moreover, in order to ensure proportionality considering the very small size of some operators regarding costs of innovation, it is appropriate to exempt microenterprises from the most costly obligations, such as to establish a quality management system which would reduce the administrative burden and the costs for those enterprises without affecting the level of protection and the need for compliance with the requirements for high-risk AI systems.In order to ensure proportionality considering the small size of some operators in terms of innovation costs, it is proposed to exempt microenterprises from the most costly obligations, such as the establishment of a quality management system. This would reduce the administrative burden and costs for these enterprises, without compromising the level of protection and the need for compliance with the requirements for high-risk AI systems.
Recital (75)(75) It is appropriate that the Commission facilitates, to the extent possible, access to Testing and Experimentation Facilities to bodies, groups or laboratories established or accredited pursuant to any relevant Union harmonisation legislation and which fulfil tasks in the context of conformity assessment of products or devices covered by that Union harmonisation legislation. This is notably the case for expert panels, expert laboratories and reference laboratories in the field of medical devices pursuant to Regulation (EU) 2017/745 and Regulation (EU) 2017/746.(75) It is appropriate that the Commission facilitates, to the extent possible, access to Testing and Experimentation Facilities to bodies, groups or laboratories established or accredited pursuant to any relevant Union harmonisation legislation and which fulfil tasks in the context of conformity assessment of products or devices covered by that Union harmonisation legislation. This is notably the case for expert panels, expert laboratories and reference laboratories in the field of medical devices pursuant to Regulation (EU) 2017/745 and Regulation (EU) 2017/746.(75) It is appropriate that the Commission facilitates, to the extent possible, access to Testing and Experimentation Facilities to bodies, groups or laboratories established or accredited pursuant to any relevant Union harmonisation legislation and which fulfil tasks in the context of conformity assessment of products or devices covered by that Union harmonisation legislation. This is notably the case for expert panels, expert laboratories and reference laboratories in the field of medical devices pursuant to Regulation (EU) 2017/745 and Regulation (EU) 2017/746.
(75) It is appropriate that the Commission facilitates, to the extent possible, access to Testing and Experimentation Facilities to bodies, groups or laboratories established or accredited pursuant to any relevant Union harmonisation legislation and which fulfil tasks in the context of conformity assessment of products or devices covered by that Union harmonisation legislation. This is notably the case for expert panels, expert laboratories and reference laboratories in the field of medical devices pursuant to Regulation (EU) 2017/745 and Regulation (EU) 2017/746.
Recital (76)(76) In order to facilitate a smooth, effective and harmonised implementation of this Regulation a European Artificial Intelligence Board should be established. The Board should be responsible for a number of advisory tasks, including issuing opinions, recommendations, advice or guidance on matters related to the implementation of this Regulation, including on technical specifications or existing standards regarding the requirements established in this Regulation and providing advice to and assisting the Commission on specific questions related to artificial intelligence.(76) In order to avoid fragmentation, to ensure the optimal functioning of the Single market, to ensure effective and harmonised implementation of this Regulation, to achieve a high level of trustworthiness and of protection of health and safety, fundamental rights, the environment, democracy and the rule of law across the Union with regards to AI systems, to actively support national supervisory authorities, Union institutions, bodies, offices and agencies in matters pertaining to this Regulation, and to increase the uptake of artificial intelligence throughout the Union, an European Union Artificial Intelligence Office should be established. The AI Office should have legal personality, should act in full independence, should be responsible for a number of advisory and coordination tasks, including issuing opinions, recommendations, advice or guidance on matters related to the implementation of this Regulation and should be adequately funded and staffed. Member States should provide the strategic direction and control of the AI Office through the management board of the AI Office, alongside the Commission, the EDPS, the FRA, and ENISA. An executive director should be responsible for managing the activities of the secretariat of the AI office and for representing the AI office. Stakeholders should formally participate in the work of the AI Office through an advisory forum that should ensure varied and balanced stakeholder representation and should advise the AI Office on matters pertaining to this Regulation. In case the establishment of the AI Office prove not to be sufficient to ensure a fully consistent application of this Regulation at Union level as well as efficient cross-border enforcement measures, the creation of an AI agency should be considered.(76) In order to facilitate a smooth, effective and harmonised implementation of this Regulation a  European Artificial Intelligence Board should be established. The Board should reflect the  various interests of the AI eco-system and be composed of representatives of the Member  States. In order to ensure the involvement of relevant stakeholders, a standing subgroup of  the Board should be created. The Board should be responsible for a number of advisory  tasks, including issuing opinions, recommendations, advice or contributing to guidance on  matters related to the implementation of this Regulation, including on enforcement matters,  technical specifications or existing standards regarding the requirements established in this  Regulation and providing advice to the Commission and the Member States and their  national competent authorities on specific questions related to artificial intelligence. In order  to give some flexibility to Member States in the designation of their representatives in the AI  Board, such representatives may be any persons belonging to public entities who should  have the relevant competences and powers to facilitate coordination at national level and  contribute to the achievement of the Board’s tasks. The Board should establish two standing  sub-groups to provide a platform for cooperation and exchange among market surveillance  authorities and notifying authorities on issues related respectively to market surveillance and  notified bodies. The standing subgroup for market surveillance should act as the  Administrative Cooperation Group (ADCO) for this Regulation in the meaning of Article 30  of Regulation (EU) 2019/1020. In line with the role and tasks of the Commission pursuant to  Article 33 of Regulation (EU) 2019/1020, the Commission should support the activities of  the standing subgroup for market surveillance by undertaking market evaluations or studies,  notably with a view to identifying aspects of this Regulation requiring specific and urgent  coordination among market surveillance authorities. The Board may establish other standing  or temporary sub-groups as appropriate for the purpose of examining specific issues. The  Board should also cooperate, as appropriate, with relevant EU bodies, experts groups and  networks active in the context of relevant EU legislation, including in particular those active  under relevant EU regulation on data, digital products and services.(76) In order to facilitate a smooth, effective, and harmonised implementation of this Regulation, to ensure the optimal functioning of the Single market, to achieve a high level of trustworthiness and of protection of health and safety, fundamental rights, the environment, democracy and the rule of law across the Union with regards to AI systems, and to increase the uptake of artificial intelligence throughout the Union, a European Artificial Intelligence Board, hereafter referred to as the AI Office, should be established. The AI Office should reflect the various interests of the AI eco-system and be composed of representatives of the Member States. It should have legal personality, act in full independence, and be adequately funded and staffed.

The AI Office should be responsible for a number of advisory and coordination tasks, including issuing opinions, recommendations, advice or guidance on matters related to the implementation of this Regulation, including on enforcement matters, technical specifications or existing standards regarding the requirements established in this Regulation. It should provide advice to the Commission, the Member States and their national competent authorities on specific questions related to artificial intelligence.

Member States should provide the strategic direction and control of the AI Office through the management board of the AI Office, alongside the Commission, the EDPS, the FRA, and ENISA. An executive director should be responsible for managing the activities of the secretariat of the AI office and for representing the AI office.

In order to ensure the involvement of relevant stakeholders, a standing subgroup of the Board should be created. Stakeholders should formally participate in the work of the AI Office through an advisory forum that should ensure varied and balanced stakeholder representation and should advise the AI Office on matters pertaining to this Regulation. The Board should establish two standing sub-groups to provide a platform for cooperation and exchange among market surveillance authorities and notifying authorities on issues related respectively to market surveillance and notified bodies. The Board may establish other standing or temporary sub-groups as appropriate for the purpose of examining specific issues.

The Board should also cooperate, as appropriate, with relevant EU bodies, experts groups and networks active in the context of relevant EU legislation, including in particular those active under relevant EU regulation on data, digital products and services. In case the establishment of the AI Office prove not to be sufficient to ensure a fully consistent application of this Regulation at Union level as well as efficient cross-border enforcement measures, the creation of an AI agency should be considered.
Recital (76a) (new)(76a) The Commission should actively support the Member States and operators in the  implementation and enforcement of this Regulation. In this regard it should develop  guidelines on particular topics aiming at facilitating the application of this Regulation, while  paying particular attention to the needs of SMEs and start-us in sectors most likely to be  affected. In order to support adequate enforcement and the capacities of the Member States,  Union testing facilities on AI and a pool of relevant experts should be established and made  available to the Member States.The Commission is encouraged to actively support the Member States and operators in the implementation and enforcement of this Regulation. This includes the development of guidelines on specific topics to facilitate the application of this Regulation, with a special focus on the needs of SMEs and start-ups in sectors most likely to be affected. To further aid in enforcement and bolster the capacities of the Member States, the establishment of Union testing facilities on AI and a pool of relevant experts should be considered, with these resources made available to the Member States.
Recital (77)(77) Member States hold a key role in the application and enforcement of this Regulation. In this respect, each Member State should designate one or more national competent authorities for the purpose of supervising the application and implementation of this Regulation. In order to increase organisation efficiency on the side of Member States and to set an official point of contact vis-à-vis the public and other counterparts at Member State and Union levels, in each Member State one national authority should be designated as national supervisory authority.(77) Each Member State should designate a national supervisory authority for the purpose of supervising the application and implementation of this Regulation. It should also represent its Member State at the management board of the AI Office. In order to increase organisation efficiency on the side of Member States and to set an official point of contact vis-à-vis the public and other counterparts at Member State and Union levels. Each national supervisory authority should act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.(77) Member States hold a key role in the application and enforcement of this Regulation. In this  respect, each Member State should designate one or more national competent authorities for  the purpose of supervising the application and implementation of this Regulation. Member  States may decide to appoint any kind of public entity to perform the tasks of the national  competent authorities within the meaning of this Regulation, in accordance with their  specific national organisational characteristics and needs.  (77) Member States hold a key role in the application and enforcement of this Regulation. In this respect, each Member State should designate one or more national competent authorities, which may include any kind of public entity in accordance with their specific national organisational characteristics and needs, for the purpose of supervising the application and implementation of this Regulation. One such authority should be designated as the national supervisory authority, acting with complete independence in performing its tasks and exercising its powers in accordance with this Regulation. This authority should also represent its Member State at the management board of the AI Office. In order to increase organisation efficiency on the side of Member States and to set an official point of contact vis-Ã -vis the public and other counterparts at Member State and Union levels, it is necessary to establish such a national supervisory authority.
Recital (77a) (new)(77a) The national supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union. For that purpose, the national supervisory authorities should cooperate with each other, with the relevant national competent authorities, the Commission, and with the AI Office.The national supervisory authorities should oversee the implementation of the provisions in accordance with this Regulation and contribute to its uniform application across the Union. To achieve this, the national supervisory authorities should collaborate with each other, with the relevant national competent authorities, the Commission, and with the AI Office.
Recital (77b) (new)(77b) The member or the staff of each national supervisory authority should, in accordance with Union or national law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy should in particular apply to trade secrets and to reporting by natural persons of infringements of this RegulationEach member or staff of the national supervisory authority should be obligated, in accordance with Union or national law, to maintain professional secrecy both during and after their term of office. This pertains to any confidential information they have acquired in the course of performing their tasks or exercising their powers. This duty of professional secrecy should specifically apply to trade secrets and to the reporting of infringements of this Regulation by natural persons.
Recital (78)(78) In order to ensure that providers of high-risk AI systems can take into account the experience on the use of high-risk AI systems for improving their systems and the design and development process or can take any possible corrective action in a timely manner, all providers should have a post-market monitoring system in place. This system is also key to ensure that the possible risks emerging from AI systems which continue to ‘learn’ after being placed on the market or put into service can be more efficiently and timely addressed. In this context, providers should also be required to have a system in place to report to the relevant authorities any serious incidents or any breaches to national and Union law protecting fundamental rights resulting from the use of their AI systems.(78) In order to ensure that providers of high-risk AI systems can take into account the experience on the use of high-risk AI systems for improving their systems and the design and development process or can take any possible corrective action in a timely manner, all providers should have a post-market monitoring system in place. This system is also key to ensure that the possible risks emerging from AI systems which continue to ‘learn’ or evolve after being placed on the market or put into service can be more efficiently and timely addressed. In this context, providers should also be required to have a system in place to report to the relevant authorities any serious incidents or any breaches to national and Union law, including those protecting fundamental rights and consumer rights resulting from the use of their AI systems and take appropriate corrective actions. Deployers should also report to the relevant authorities, any serious incidents or breaches to national and Union law resulting from the use of their AI system when they become aware of such serious incidents or breaches.(78) In order to ensure that providers of high-risk AI systems can take into account the  experience on the use of high-risk AI systems for improving their systems and the design  and development process or can take any possible corrective action in a timely manner, all  providers should have a post-market monitoring system in place. This system is also key to  ensure that the possible risks emerging from AI systems which continue to ‘learn’ after  being placed on the market or put into service can be more efficiently and timely addressed.  In this context, providers should also be required to have a system in place to report to the  relevant authorities any serious incidents resulting from the use of their AI systems. (78) In order to ensure that providers of high-risk AI systems can take into account the experience on the use of high-risk AI systems for improving their systems and the design and development process or can take any possible corrective action in a timely manner, all providers should have a post-market monitoring system in place. This system is also key to ensure that the possible risks emerging from AI systems which continue to ‘learn’ or evolve after being placed on the market or put into service can be more efficiently and timely addressed. In this context, providers should also be required to have a system in place to report to the relevant authorities any serious incidents or any breaches to national and Union law, including those protecting fundamental rights and consumer rights resulting from the use of their AI systems and take appropriate corrective actions. Providers should also report any serious incidents resulting from the use of their AI systems. Deployers should also report to the relevant authorities, any serious incidents or breaches to national and Union law resulting from the use of their AI system when they become aware of such serious incidents or breaches.
Recital (79)(79) In order to ensure an appropriate and effective enforcement of the requirements and obligations set out by this Regulation, which is Union harmonisation legislation, the system of market surveillance and compliance of products established by Regulation (EU) 2019/1020 should apply in its entirety. Where necessary for their mandate, national public authorities or bodies, which supervise the application of Union law protecting fundamental rights, including equality bodies, should also have access to any documentation created under this Regulation.(79) In order to ensure an appropriate and effective enforcement of the requirements and obligations set out by this Regulation, which is Union harmonisation legislation, the system of market surveillance and compliance of products established by Regulation (EU) 2019/1020 should apply in its entirety. For the purpose of this Regulation, national supervisory authorities should act as market surveillance authorities for AI systems covered by this Regulation except for AI systems covered by Annex II of this Regulation. For AI systems covered by legal acts listed in the Annex II, the competent authorites under those legal acts should remain the lead authority. National supervisory authorities and competent authorities in the legal acts listed in Annex II should work together whenever necessary. When appropriate, the competent authorities in the legal acts listed in Annex II should send competent staff to the national supervisory authority in order to assist in the performance of its tasks. For the purpose of this Regulation, national supervisory authorities should have the same powers and obligations as market surveillance authorities under Regulation (EU) 2019/1020. Where necessary for their mandate, national public authorities or bodies, which supervise the application of Union law protecting fundamental rights, including equality bodies, should also have access to any documentation created under this Regulation. After having exhausted all other reasonable ways to assess/verify the conformity and upon a reasoned request, the national supervisory authority should be granted access to the training, validation and testing datasets, the trained and training model of the high-risk AI system, including its relevant model parameters and their execution /run environment. In cases of simpler software systems falling under this Regulation that are not based on trained models, and where all other ways to verify conformity have been exhausted, the national supervisory authority may exceptionally have access to the source code, upon a reasoned request. Where the national supervisory authority has been granted access to the training, validation and testing datasets in accordance with this Regulation, such access should be achieved through appropriate technical means and tools, including on site access and in exceptional circumstances, remote access. The national supervisory authority should treat any information, including source code, software, and data as applicable, obtained as confidential information and respect relevant Union law on the protection of intellectual property and trade secrets. The national supervisory authority should delete any information obtained upon the completion of the investigation.(79) In order to ensure an appropriate and effective enforcement of the requirements and  obligations set out by this Regulation, which is Union harmonisation legislation, the system  of market surveillance and compliance of products established by Regulation (EU)  2019/1020 should apply in its entirety. Market surveillance authorities designated pursuant  to this Regulation should have all enforcement powers under this Regulation and Regulation  (EU) 2019/1020 and should exercise their powers and carry out their duties independently,  impartially and without bias. Although the majority of AI systems are not subject to specific  requirements and obligations under this Regualtion, market surveillance authorities may take  measures in relation to all AI systems when they present a risk in accordance with this  Regulation. Due to the specific nature of Union institutions, agencies and bodies falling  within the scope of this Regulation, it is appropriate to designate the European Data  Protection Supervisor as a competent market surveillance authority for them. This should be  without prejudice to the designation of national competent authorities by the Member States.  Market surveillance activities should not affect the ability of the supervised entities to carry  out their tasks independently, when such independence is required by Union law. (79) In order to ensure an appropriate and effective enforcement of the requirements and obligations set out by this Regulation, which is Union harmonisation legislation, the system of market surveillance and compliance of products established by Regulation (EU) 2019/1020 should apply in its entirety. National supervisory authorities should act as market surveillance authorities for AI systems covered by this Regulation except for AI systems covered by Annex II of this Regulation. For AI systems covered by legal acts listed in the Annex II, the competent authorities under those legal acts should remain the lead authority. National supervisory authorities and competent authorities in the legal acts listed in Annex II should work together whenever necessary.

Market surveillance authorities designated pursuant to this Regulation should have all enforcement powers under this Regulation and Regulation (EU) 2019/1020 and should exercise their powers and carry out their duties independently, impartially and without bias. They may take measures in relation to all AI systems when they present a risk in accordance with this Regulation. The European Data Protection Supervisor should be designated as a competent market surveillance authority for Union institutions, agencies and bodies falling within the scope of this Regulation, without prejudice to the designation of national competent authorities by the Member States.

Where necessary for their mandate, national public authorities or bodies, which supervise the application of Union law protecting fundamental rights, including equality bodies, should also have access to any documentation created under this Regulation. After having exhausted all other reasonable ways to assess/verify the conformity and upon a reasoned request, the national supervisory authority should be granted access to the training, validation and testing datasets, the trained and training model of the high-risk AI system, including its relevant model parameters and their execution /run environment. In cases of simpler software systems falling under this Regulation that are not based on trained models, and where all other ways to verify conformity have been exhausted, the national supervisory authority may exceptionally have access to the source code, upon a reasoned request.

The national supervisory authority should treat any information, including source code, software, and data as applicable, obtained as confidential information and respect relevant Union law on the protection of intellectual property and trade secrets. The national supervisory authority should delete any information obtained upon the completion of the investigation. Market surveillance activities should not affect the ability of the supervised entities to carry out their tasks independently, when such independence is required by Union law.
Recital (79a) (new)(79a) This Regulation is without prejudice to the competences, tasks, powers and independence of  relevant national public authorities or bodies which supervise the application of Union law  protecting fundamental rights, including equality bodies and data protection authorities.  Where necessary for their mandate, those national public authorities or bodies should also  have access to any documentation created under this Regulation. A specific safeguard  procedure should be set for ensuring adequate and timely enforcement against AI systems  presenting a risk to health, safety and fundamental rights. The procedure for such AI  systems presenting a risk should be applied to high-risk AI systems presenting a risk,  prohibited systems which have been placed on the market, put into service or used in  violation of the prohibited practices laid down in this Regulation and AI systems which have  been made available in violation of the transparency requirements laid down in this  Regulation and present a risk.This Regulation respects the competences, tasks, powers and independence of relevant national public authorities or bodies supervising the application of Union law protecting fundamental rights, including equality bodies and data protection authorities. These national public authorities or bodies should have access to any documentation created under this Regulation, as necessary for their mandate. A specific safeguard procedure should be established to ensure adequate and timely enforcement against AI systems presenting a risk to health, safety and fundamental rights. This procedure should be applied to high-risk AI systems, prohibited systems which have been placed on the market, put into service or used in violation of the prohibited practices laid down in this Regulation, and AI systems which have been made available in violation of the transparency requirements laid down in this Regulation and present a risk.
Recital (80)(80) Union legislation on financial services includes internal governance and risk management rules and requirements which are applicable to regulated financial institutions in the course of provision of those services, including when they make use of AI systems. In order to ensure coherent application and enforcement of the obligations under this Regulation and relevant rules and requirements of the Union financial services legislation, the authorities responsible for the supervision and enforcement of the financial services legislation, including where applicable the European Central Bank, should be designated as competent authorities for the purpose of supervising the implementation of this Regulation, including for market surveillance activities, as regards AI systems provided or used by regulated and supervised financial institutions. To further enhance the consistency between this Regulation and the rules applicable to credit institutions regulated under Directive 2013/36/EU of the European Parliament and of the Council56 , it is also appropriate to integrate the conformity assessment procedure and some of the providers’ procedural obligations in relation to risk management, post marketing monitoring and documentation into the existing obligations and procedures under Directive 2013/36/EU. In order to avoid overlaps, limited derogations should also be envisaged in relation to the quality management system of providers and the monitoring obligation placed on users of high-risk AI systems to the extent that these apply to credit institutions regulated by Directive 2013/36/EU.

––––
56. Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).		(80) Union law on financial services includes internal governance and risk management rules and requirements which are applicable to regulated financial institutions in the course of provision of those services, including when they make use of AI systems. In order to ensure coherent application and enforcement of the obligations under this Regulation and relevant rules and requirements of the Union financial services law, the competent authorities responsible for the supervision and enforcement of the financial services law, including where applicable the European Central Bank, should be designated as competent authorities for the purpose of supervising the implementation of this Regulation, including for market surveillance activities, as regards AI systems provided or used by regulated and supervised financial institutions. To further enhance the consistency between this Regulation and the rules applicable to credit institutions regulated under Directive 2013/36/EU of the European Parliament and of the Council56 , it is also appropriate to integrate the conformity assessment procedure and some of the providers’ procedural obligations in relation to risk management, post marketing monitoring and documentation into the existing obligations and procedures under Directive 2013/36/EU. In order to avoid overlaps, limited derogations should also be envisaged in relation to the quality management system of providers and the monitoring obligation placed on deployers of high-risk AI systems to the extent that these apply to credit institutions regulated by Directive 2013/36/EU.

––––
56. Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).		(80) Union legislation on financial services includes internal governance and risk management  rules and requirements which are applicable to regulated financial institutions in the course  of provision of those services, including when they make use of AI systems. In order to  ensure coherent application and enforcement of the obligations under this Regulation and  relevant rules and requirements of the Union financial services legislation, the authorities  responsible for the supervision and enforcement of the financial services legislation should  be designated as competent authorities for the purpose of supervising the implementation of  this Regulation, including for market surveillance activities, as regards AI systems provided  or used by regulated and supervised financial institutions unless Member States decide to  designate another authority to fulfill these market surveillance tasks. Those competent  authorities should have all powers under this Regulation and Regulation (EU) 2019/1020 on  market surveillance to enforce the requirements and obligations of this Regulation, including  powers to carry our ex post market surveillance activities that can be integrated, as  appropriate, into their existing supervisory mechanisms and procedures under the relevant  Union financial services legislation. It is appropriate to envisage that, when acting as market  surveillance authorities under this Regulation, the national authorities responsible for the  supervision of credit institutions regulated under Directive 2013/36/EU, which are  participating in the Single Supervisory Mechanism (SSM) established by Council  Regulation No 1024/2013, should report, without delay, to the European Central Bank any  information identified in the course of their market surveillance activities that may be of  potential interest for the European Central Bank’s prudential supervisory tasks as specified  in that Regulation. To further enhance the consistency between this Regulation and the rules  applicable to credit institutions regulated under Directive 2013/36/EU of the European  Parliament and of the Council27, it is also appropriate to integrate some of the providers’  procedural obligations in relation to risk management, post marketing monitoring and  documentation into the existing obligations and procedures under Directive 2013/36/EU. In  order to avoid overlaps, limited derogations should also be envisaged in relation to the  quality management system of providers and the monitoring obligation placed on users of  high-risk AI systems to the extent that these apply to credit institutions regulated by  Directive 2013/36/EU. The same regime should apply to insurance and re-insurance  undertakings and insurance holding companies under Directive 2009/138/EU (Solvency II)  and the insurance intermediaries under Directive 2016/97/EU and other types of financial institutions subject to requirements regarding internal governance, arrangements or processes established pursuant to the relevant Union financial services legislation to ensure consistency and equal treatment in the financial sector.


––––
27. Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).		(80) Union legislation on financial services includes internal governance and risk management rules and requirements which are applicable to regulated financial institutions in the course of provision of those services, including when they make use of AI systems. In order to ensure coherent application and enforcement of the obligations under this Regulation and relevant rules and requirements of the Union financial services legislation, the authorities responsible for the supervision and enforcement of the financial services legislation, including where applicable the European Central Bank, should be designated as competent authorities for the purpose of supervising the implementation of this Regulation, including for market surveillance activities, as regards AI systems provided or used by regulated and supervised financial institutions unless Member States decide to designate another authority to fulfill these market surveillance tasks. Those competent authorities should have all powers under this Regulation and Regulation (EU) 2019/1020 on market surveillance to enforce the requirements and obligations of this Regulation, including powers to carry out ex post market surveillance activities that can be integrated, as appropriate, into their existing supervisory mechanisms and procedures under the relevant Union financial services legislation. To further enhance the consistency between this Regulation and the rules applicable to credit institutions regulated under Directive 2013/36/EU of the European Parliament and of the Council, it is also appropriate to integrate the conformity assessment procedure and some of the providers’ procedural obligations in relation to risk management, post marketing monitoring and documentation into the existing obligations and procedures under Directive 2013/36/EU. In order to avoid overlaps, limited derogations should also be envisaged in relation to the quality management system of providers and the monitoring obligation placed on users of high-risk AI systems to the extent that these apply to credit institutions regulated by Directive 2013/36/EU. The same regime should apply to insurance and re-insurance undertakings and insurance holding companies under Directive 2009/138/EU (Solvency II) and the insurance intermediaries under Directive 2016/97/EU and other types of financial institutions subject to requirements regarding internal governance, arrangements or processes established pursuant to the relevant Union financial services legislation to ensure consistency and equal treatment in the financial sector.
Recital (80a) (new)(80a) Given the objectives of this Regulation, namely to ensure an equivalent level of protection of health, safety and fundamental rights of natural persons, to ensure the protection of the rule of law and democracy, and taking into account that the mitigation of the risks of AI system against such rights may not be sufficiently achieved at national level or may be subject to diverging interpretation which could ultimately lead to an uneven level of protection of natural persons and create market fragmentation, the national supervisory authorities should be empowered to conduct joint investigations or rely on the union safeguard procedure provided for in this Regulation for effective enforcement. Joint investigations should be initiated where the national supervisory authority have sufficient reasons to believe that an infringement of this Regulation amount to a widespread infringement or a widespread infringement with a Union dimension, or where the AI system or foundation model presents a risk which affects or is likely to affect at least 45 million individuals in more than one Member State.Given the objectives of this Regulation, which are to ensure an equivalent level of protection of health, safety, and fundamental rights of natural persons, as well as the protection of the rule of law and democracy, it is necessary to empower national supervisory authorities to conduct joint investigations or rely on the union safeguard procedure provided for in this Regulation for effective enforcement. This is due to the potential insufficiency of risk mitigation at the national level and the possibility of diverging interpretations leading to an uneven level of protection and market fragmentation. Joint investigations should be initiated where the national supervisory authority has sufficient reasons to believe that an infringement of this Regulation amounts to a widespread infringement or a widespread infringement with a Union dimension, or where the AI system or foundation model presents a risk which affects or is likely to affect at least 45 million individuals in more than one Member State.
Recital (81)(81)The development of AI systems other than high-risk AI systems in accordance with the requirements of this Regulation may lead to a larger uptake of trustworthy artificial intelligence in the Union. Providers of non-high-risk AI systems should be encouraged to create codes of conduct intended to foster the voluntary application of the mandatory requirements applicable to high-risk AI systems. Providers should also be encouraged to apply on a voluntary basis additional requirements related, for example, to environmental sustainability, accessibility to persons with disability, stakeholders’ participation in the design and development of AI systems, and diversity of the development teams. The Commission may develop initiatives, including of a sectorial nature, to facilitate the lowering of technical barriers hindering cross-border exchange of data for AI development, including on data access infrastructure, semantic and technical interoperability of different types of data.(81)The development of AI systems other than high-risk AI systems in accordance with the requirements of this Regulation may lead to a larger uptake of trustworthy artificial intelligence in the Union. Providers of non-high-risk AI systems should be encouraged to create codes of conduct intended to foster the voluntary application of the mandatory requirements applicable to high-risk AI systems. Providers should also be encouraged to apply on a voluntary basis additional requirements related, for example, to environmental sustainability, accessibility to persons with disability, stakeholders’ participation in the design and development of AI systems, and diversity of the development teams. The Commission may develop initiatives, including of a sectorial nature, to facilitate the lowering of technical barriers hindering cross-border exchange of data for AI development, including on data access infrastructure, semantic and technical interoperability of different types of data.(81) The development of AI systems other than high-risk AI systems in accordance with the  requirements of this Regulation may lead to a larger uptake of trustworthy artificial  intelligence in the Union. Providers of non-high-risk AI systems should be encouraged to  create codes of conduct intended to foster the voluntary application of the requirements  applicable to high-risk AI systems, adapted in light of the intended purpose of the systems  and the lower risk involved. Providers should also be encouraged to apply on a voluntary  basis additional requirements related, for example, to environmental sustainability,  accessibility to persons with disability, stakeholders’ participation in the design and  development of AI systems, and diversity of the development teams. The Commission may  develop initiatives, including of a sectorial nature, to facilitate the lowering of technical  barriers hindering cross-border exchange of data for AI development, including on data  access infrastructure, semantic and technical interoperability of different types of data.(81) The development of AI systems other than high-risk AI systems, in accordance with the requirements of this Regulation, may lead to a larger uptake of trustworthy artificial intelligence in the Union. Providers of non-high-risk AI systems should be encouraged to create codes of conduct intended to foster the voluntary application of the mandatory requirements applicable to high-risk AI systems, adapted in light of the intended purpose of the systems and the lower risk involved. Providers should also be encouraged to apply on a voluntary basis additional requirements related, for example, to environmental sustainability, accessibility to persons with disability, stakeholders’ participation in the design and development of AI systems, and diversity of the development teams. The Commission may develop initiatives, including of a sectorial nature, to facilitate the lowering of technical barriers hindering cross-border exchange of data for AI development, including on data access infrastructure, semantic and technical interoperability of different types of data.
Recital (82)(82) It is important that AI systems related to products that are not high-risk in accordance with this Regulation and thus are not required to comply with the requirements set out herein are nevertheless safe when placed on the market or put into service. To contribute to this objective, the Directive 2001/95/EC of the European Parliament and of the Council57 would apply as a safety net.

–––––
57. Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety (OJ L 11, 15.1.2002, p. 4).		(82) It is important that AI systems related to products that are not high-risk in accordance with this Regulation and thus are not required to comply with the requirements set out for high-risk AI systems are nevertheless safe when placed on the market or put into service. To contribute to this objective, the Directive 2001/95/EC of the European Parliament and of the Council57 would apply as a safety net.


–––––
57. Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety (OJ L 11, 15.1.2002, p. 4).		(82) It is important that AI systems related to products that are not high-risk in accordance with  this Regulation and thus are not required to comply with the requirements set out herein are  nevertheless safe when placed on the market or put into service. To contribute to this  objective, the Directive 2001/95/EC of the European Parliament and of the Council28 would  apply as a safety net.

–––––
28. Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety (OJ L 11, 15.1.2002, p. 4). 		(82) It is important that AI systems related to products that are not high-risk in accordance with this Regulation and thus are not required to comply with the requirements set out herein or for high-risk AI systems are nevertheless safe when placed on the market or put into service. To contribute to this objective, the Directive 2001/95/EC of the European Parliament and of the Council would apply as a safety net.

–––––
Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety (OJ L 11, 15.1.2002, p. 4).
Recital (83)(83) In order to ensure trustful and constructive cooperation of competent authorities on Union and national level, all parties involved in the application of this Regulation should respect the confidentiality of information and data obtained in carrying out their tasks.(83) In order to ensure trustful and constructive cooperation of competent authorities on Union and national level, all parties involved in the application of this Regulation should aim for transparency and openness while respecting the confidentiality of information and data obtained in carrying out their tasks by putting in place technical and organisational measures to protect the security and confidentiality of the information obtained carrying out their activities including for intellectual property rights and public and national security interests. Where the activities of the Commission, national competent authorities and notified bodies pursuant to this Regulation results in a breach of intellectual property rights, Member States should provide for adequate measures and remedies to ensure the enforcement of intellectual property rights in application of Directive 2004/48/EC.(83) In order to ensure trustful and constructive cooperation of competent authorities on Union  and national level, all parties involved in the application of this Regulation should respect  the confidentiality of information and data obtained in carrying out their tasks, in accordance  with Union or national law.  (83) In order to ensure trustful and constructive cooperation of competent authorities on Union and national level, all parties involved in the application of this Regulation should aim for transparency and openness, while respecting the confidentiality of information and data obtained in carrying out their tasks. This should be in accordance with Union or national law and should involve putting in place technical and organisational measures to protect the security and confidentiality of the information obtained carrying out their activities, including for intellectual property rights and public and national security interests. Where the activities of the Commission, national competent authorities and notified bodies pursuant to this Regulation results in a breach of intellectual property rights, Member States should provide for adequate measures and remedies to ensure the enforcement of intellectual property rights in application of Directive 2004/48/EC.
Recital (84)(84) Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. For certain specific infringements, Member States should take into account the margins and criteria set out in this Regulation. The European Data Protection Supervisor should have the power to impose fines on Union institutions, agencies and bodies falling within the scope of this Regulation.(84) Compliance with this Regulation should be enforceable by means of the imposition of fines by the national supervisory authority when carrying out proceedings under the procedure laid down in this Regulation. Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement. In order to strengthen and harmonise administrative penalties for infringement of this Regulation, the upper limits for setting the administrative fines for certain specific infringements should be laid down;. When assessing the amount of the fines, national competent authorities should, in each individual case, take into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and to the provider’s size, in particular if the provider is a SME or a start-up. The European Data Protection Supervisor should have the power to impose fines on Union institutions, agencies and bodies falling within the scope of this Regulation. The penalties and litigation costs under this Regulation should not be subject to contractual clauses or any other arrangements.(84) Member States should take all necessary measures to ensure that the provisions of this  Regulation are implemented, including by laying down effective, proportionate and  dissuasive penalties for their infringement, and in respect of the ne bis in idem principle. For  certain specific infringements, Member States should take into account the margins and  criteria set out in this Regulation. The European Data Protection Supervisor should have the  power to impose fines on Union institutions, agencies and bodies falling within the scope of  this Regulation.  (84) Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement, and in respect of the ne bis in idem principle. Compliance with this Regulation should be enforceable by means of the imposition of fines by the national supervisory authority when carrying out proceedings under the procedure laid down in this Regulation. For certain specific infringements, Member States should take into account the margins and criteria set out in this Regulation. In order to strengthen and harmonise administrative penalties for infringement of this Regulation, the upper limits for setting the administrative fines for certain specific infringements should be laid down. When assessing the amount of the fines, national competent authorities should, in each individual case, take into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and to the provider’s size, in particular if the provider is a SME or a start-up. The European Data Protection Supervisor should have the power to impose fines on Union institutions, agencies and bodies falling within the scope of this Regulation. The penalties and litigation costs under this Regulation should not be subject to contractual clauses or any other arrangements.
Recital (84a) (new)(84a) As the rights and freedoms of natural and legal persons and groups of natural persons can be seriously undermined by AI systems, it is essential that natural and legal persons or groups of natural persons have meaningful access to reporting and redress mechanisms and to be entitled to access proportionate and effective remedies. They should be able to report infringments of this Regulation to their national supervisory authority and have the right to lodge a complaint against the providers or deployers of AI systems. Where applicable, deployers should provide internal complaints mechanisms to be used by natural and legal persons or groups of natural persons. Without prejudice to any other administrative or non-judicial remedy, natural and legal persons and groups of natural persons should also have the right to an effective judicial remedy with regard to a legally binding decision of a national supervisory authority concerning them or, where the national supervisory authority does not handle a complaint, does not inform the complainant of the progress or preliminary outcome of the complaint lodged or does not comply with its obligation to reach a final decision, with regard to the complaint.Natural and legal persons, as well as groups of natural persons, whose rights and freedoms can be significantly impacted by AI systems, should have access to meaningful reporting and redress mechanisms. They should be entitled to proportionate and effective remedies, including the ability to report infringements of this Regulation to their national supervisory authority. They should also have the right to lodge a complaint against the providers or deployers of AI systems.

Where applicable, deployers should establish internal complaints mechanisms for use by natural and legal persons or groups of natural persons. In addition to any other administrative or non-judicial remedy, these individuals and groups should have the right to an effective judicial remedy concerning a legally binding decision of a national supervisory authority that affects them.

This also applies in cases where the national supervisory authority does not handle a complaint, does not inform the complainant of the progress or preliminary outcome of the complaint lodged, or does not comply with its obligation to reach a final decision on the complaint.
Recital (84b) (new)(84b) Affected persons should always be informed that they are subject to the use of a high-risk AI system, when deployers use a high-risk AI system to assist in decision-making or make decisions related to natural persons. This information can provide a basis for affected persons to exercise their right to an explanation under this Regulation.When deployers provide an explanation to affected persons under this Regulation, they should take into account the level of expertise and knowledge of the average consumer or individual.When deployers utilize a high-risk AI system for decision-making or decisions related to natural persons, it is imperative that the affected persons are always informed of their involvement with such a system. This information serves as a foundation for the affected persons to exercise their right to an explanation under this Regulation. In providing an explanation, deployers should consider the level of expertise and knowledge of the average consumer or individual.
Recital (84c) (new)(84c) Union law on the protection of whistleblowers (Directive (EU) 2019/1937) has full application to academics, designers, developers, project contributors, auditors, product managers, engineers and economic operators acquiring information on breaches of Union law by a provider of AI system or its AI system.The Directive (EU) 2019/1937 on the protection of whistleblowers fully applies to academics, designers, developers, project contributors, auditors, product managers, engineers and economic operators who acquire information on breaches of Union law by a provider of AI system or its AI system.
Recital (85)(85) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to amend the techniques and approaches referred to in Annex I to define AI systems, the Union harmonisation legislation listed in Annex II, the high-risk AI systems listed in Annex III, the provisions regarding technical documentation listed in Annex IV, the content of the EU declaration of conformity in Annex V, the provisions regarding the conformity assessment procedures in Annex VI and VII and the provisions establishing the high-risk AI systems to which the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation should apply. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making58 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

–––
58. OJ L 123, 12.5.2016, p. 1.		(85) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to amend the Union harmonisation legislation listed in Annex II, the high-risk AI systems listed in Annex III, the provisions regarding technical documentation listed in Annex IV, the content of the EU declaration of conformity in Annex V, the provisions regarding the conformity assessment procedures in Annex VI and VII and the provisions establishing the high-risk AI systems to which the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation should apply. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making58. These consultations should involve the participation of a balanced selection of stakeholders, including consumer organisations, civil society, associations representing affected persons, businesses representatives from different sectors and sizes, as well as researchers and scientists. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

–––
58. OJ L 123, 12.5.2016, p. 1.		(85) In order to ensure that the regulatory framework can be adapted where necessary, the power  to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission  to amend the Union harmonisation legislation listed in Annex II, the high-risk AI systems  listed in Annex III, the provisions regarding technical documentation listed in Annex IV, the  content of the EU declaration of conformity in Annex V, the provisions regarding the  conformity assessment procedures in Annex VI and VII and the provisions establishing the  high-risk AI systems to which the conformity assessment procedure based on assessment of  the quality management system and assessment of the technical documentation should  apply. It is of particular importance that the Commission carry out appropriate consultations  during its preparatory work, including at expert level, and that those consultations be  conducted in accordance with the principles laid down in the Interinstitutional Agreement of  13 April 2016 on Better Law-Making29. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all  documents at the same time as Member States’ experts, and their experts systematically  have access to meetings of Commission expert groups dealing with the preparation of  delegated acts. Such consultations and advisory support should also be carried out in the  framework of the activities of the AI Board and its subgroups.

–––
29. OJ L 123, 12.5.2016, p. 1.		(85) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to amend the Union harmonisation legislation listed in Annex II, the high-risk AI systems listed in Annex III, the provisions regarding technical documentation listed in Annex IV, the content of the EU declaration of conformity in Annex V, the provisions regarding the conformity assessment procedures in Annex VI and VII and the provisions establishing the high-risk AI systems to which the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation should apply. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. These consultations should involve the participation of a balanced selection of stakeholders, including consumer organisations, civil society, associations representing affected persons, businesses representatives from different sectors and sizes, as well as researchers and scientists. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Such consultations and advisory support should also be carried out in the framework of the activities of the AI Board and its subgroups.

–––
OJ L 123, 12.5.2016, p. 1.
Recital (85a) (new)(85a) Given the rapid technological developments and the required technical expertise in conducting the assessment of high-risk AI systems, the Commission should regularly review the implementation of this Regulation, in particular the prohibited AI systems, the transparency obligations and the list of high-risk areas and use cases, at least every year, while consulting the AI office and the relevant stakeholders.Given the rapid technological advancements and the necessary technical expertise in evaluating high-risk AI systems, it is proposed that the Commission should conduct a regular review of the implementation of this Regulation. This review should particularly focus on the prohibited AI systems, the transparency obligations, and the list of high-risk areas and use cases. This review should be conducted at least annually, with the Commission consulting the AI office and relevant stakeholders during the process.
Recital (86)(86) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.59


59. Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p.13).		(86) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.59


59. Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p.13).		(86) In order to ensure uniform conditions for the implementation of this Regulation,  implementing powers should be conferred on the Commission. Those powers should be  exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and  of the Council30. It is of particular importance that, in accordance with the principles laid  down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making, whenever  broader expertise is needed in the early preparation of draft implementing acts, the  Commission makes use of expert groups, consults targeted stakeholders or carries out public  consultations, as appropriate. Such consultations and advisory support should also be carried  out in the framework of the activities of the AI Board and its subgroups, including the  preparation of implementing acts in relation to Articles 4, 4b and 6. 


30. Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p.13).		(86) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council. It is of particular importance that, in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making, whenever broader expertise is needed in the early preparation of draft implementing acts, the Commission makes use of expert groups, consults targeted stakeholders or carries out public consultations, as appropriate. Such consultations and advisory support should also be carried out in the framework of the activities of the AI Board and its subgroups, including the preparation of implementing acts in relation to Articles 4, 4b and 6.


Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p.13).
Recital (87)(87) Since the objective of this Regulation cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.(87) Since the objective of this Regulation cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.(87) Since the objective of this Regulation cannot be sufficiently achieved by the Member States  and can rather, by reason of the scale or effects of the action, be better achieved at Union  level, the Union may adopt measures in accordance with the principle of subsidiarity as set  out in Article 5 TEU. In accordance with the principle of proportionality as set out in that  Article, this Regulation does not go beyond what is necessary in order to achieve that  objective.(87) Since the objective of this Regulation cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
Recital (87a) (new) [C](87a) In order to ensure legal certainty, ensure an appropriate adaptation period for operators and avoid disruption to the market, including by ensuring continuity of the use of AI systems, it is appropriate that this Regulation applies to the high-risk AI systems that have been placed on the market or put into service before the general date of application thereof, only if, from that date, those systems are subject to significant changes in their design or intended purpose. It is appropriate to clarify that, in this respect, the concept of significant change should be understood as equivalent in substance to the notion of substantial modification, which is used with regard only to high-risk AI systems as defined in this Regulation.
In order to ensure legal certainty, facilitate an appropriate adaptation period for operators, and prevent market disruption, including the continuity of AI systems usage, this Regulation should apply to high-risk AI systems that have been placed on the market or put into service prior to the general date of application. However, this should only be the case if, from that date, these systems undergo significant changes in their design or intended purpose. For clarity, the term ‘significant change’ should be interpreted as being equivalent to the concept of ‘substantial modification’, which is used exclusively for high-risk AI systems as defined in this Regulation.
Recital (87a) (new) [P](87a) As reliable information on the resource and energy use, waste production and other environmental impact of AI systems and related ICT technology, including software, hardware and in particular data centres, is limited, the Commission should introduce of an adequate methodology to measure the environmental impact and effectiveness of this Regulation in light of the Union environmental and climate objectives.Given the limited reliable information on the resource and energy use, waste production, and other environmental impacts of AI systems and related ICT technology, including software, hardware, and particularly data centres, it is proposed that the Commission should develop an adequate methodology to measure the environmental impact and effectiveness of this Regulation, in alignment with the Union’s environmental and climate objectives.
Recital (88)(88) This Regulation should apply from … [OP – please insert the date established in Art. 85]. However, the infrastructure related to the governance and the conformity assessment system should be operational before that date, therefore the provisions on notified bodies and governance structure should apply from … [OP – please insert the date – three months following the entry into force of this Regulation]. In addition, Member States should lay down and notify to the Commission the rules on penalties, including administrative fines, and ensure that they are properly and effectively implemented by the date of application of this Regulation. Therefore the provisions on penalties should apply from [OP – please insert the date – twelve months following the entry into force of this Regulation].(88) This Regulation should apply from … [OP – please insert the date established in Art. 85]. However, the infrastructure related to the governance and the conformity assessment system should be operational before that date, therefore the provisions on notified bodies and governance structure should apply from … [OP – please insert the date – three months following the entry into force of this Regulation]. In addition, Member States should lay down and notify to the Commission the rules on penalties, including administrative fines, and ensure that they are properly and effectively implemented by the date of application of this Regulation. Therefore the provisions on penalties should apply from [OP – please insert the date – twelve months following the entry into force of this Regulation].(88) This Regulation should apply from … [OP – please insert the date established in Art. 85].  However, the infrastructure related to the governance and the conformity assessment system  should be operational before that date, therefore the provisions on notified bodies and  governance structure should apply from … [OP – please insert the date – three months  following the entry into force of this Regulation]. In addition, Member States should lay  down and notify to the Commission the rules on penalties, including administrative fines,  and ensure that they are properly and effectively implemented by the date of application of  this Regulation. Therefore the provisions on penalties should apply from [OP – please insert  the date – twelve months following the entry into force of this Regulation].(88) This Regulation should apply from … [OP – please insert the date established in Art. 85]. However, the infrastructure related to the governance and the conformity assessment system should be operational before that date, therefore the provisions on notified bodies and governance structure should apply from … [OP – please insert the date – three months following the entry into force of this Regulation]. In addition, Member States should lay down and notify to the Commission the rules on penalties, including administrative fines, and ensure that they are properly and effectively implemented by the date of application of this Regulation. Therefore the provisions on penalties should apply from [OP – please insert the date – twelve months following the entry into force of this Regulation].
Recital (89)(89) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 and delivered an opinion on […]”.(89) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 and delivered an opinion on 18 June 2021.(89) The European Data Protection Supervisor and the European Data Protection Board were  consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 and delivered an  opinion on […]”.(89) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 and delivered an opinion on 18 June 2021.
HAVE ADOPTED THIS REGULATION:HAVE ADOPTED THIS REGULATION:HAVE ADOPTED THIS REGULATION:None

TITLE I: General Provisions

Article 1
NumberingCommissionParliamentCouncilText proposed by the AI
Article 1 Article 1
Subject matter		Article 1
Subject matter		Article 1
Subject matter		None
Article 1 – paragraph 1 (new)
1. The purpose of this Regulation is to promote the uptake of human-centric and trustworthy artificial intelligence and to ensure a high level of protection of health, safety, fundamental rights, democracy and the rule of law, and the environment from harmful effects of artificial intelligence systems in the Union while supporting innovation;This Regulation aims to foster the adoption of human-centric and trustworthy artificial intelligence, ensuring a high level of protection for health, safety, fundamental rights, democracy, the rule of law, and the environment from the potential harmful effects of artificial intelligence systems within the Union, while simultaneously promoting innovation.
Article 1 – paragraph 1 – introductory part This Regulation lays down:This Regulation lays down:This Regulation lays down:None
Article 1 – paragraph 1 – point (a)(a) harmonised rules for the placing on the market, the putting into service and the use of artificial intelligence systems (‘AI systems’) in the Union;(a) harmonised rules for the placing on the market, the putting into service and the use of artificial intelligence systems (‘AI systems’) in the Union;(a) harmonised rules for the placing on the market, the putting into service and the use of artificial intelligence systems (‘AI systems’) in the Union; (a) harmonised rules for the placing on the market, the putting into service and the use of artificial intelligence systems (‘AI systems’) in the Union;
Article 1 – paragraph 1 – point (b)(b) prohibitions of certain artificial intelligence practices;(b) prohibitions of certain artificial intelligence practices;(b) prohibitions of certain artificial intelligence practices; (b) prohibitions of certain artificial intelligence practices;
Article 1 – paragraph 1 – point (c)(c) specific requirements for high-risk AI systems and obligations for operators of such systems;(c) specific requirements for high-risk AI systems and obligations for operators of such systems;(c) specific requirements for high-risk AI systems and obligations for operators of such systems;(c) specific requirements for high-risk AI systems and obligations for operators of such systems;

Article 1 – paragraph 1 – point (d)
(d) harmonised transparency rules for AI systems intended to interact with natural persons, emotion recognition systems and biometric categorisation systems, and AI systems used to generate or manipulate image, audio or video content;(d) harmonised transparency rules for certain AI systems(d) harmonised transparency rules for certain AI systems;(d) harmonised transparency rules for certain AI systems, specifically those intended to interact with natural persons, emotion recognition systems, biometric categorisation systems, and AI systems used to generate or manipulate image, audio or video content;

Article 1 – paragraph 1 – point (e)
(e) rules on market monitoring and surveillance.(e) rules on market monitoring, market surveillance governance and enforcement;(e) rules on market monitoring, market surveillance and governance;(e) rules on market monitoring, market surveillance, governance and enforcement;
Article 1 – paragraph 1 – point ea (new)

(ea) measures to support innovation, with a particular focus on SMEs and start-ups, including on setting up regulatory sandboxes and targeted measures to reduce the regulatory burden on SMEs’s and start-ups;(ea) measures in support of innovation.(ea) measures to support innovation, particularly focusing on SMEs and start-ups, including the establishment of regulatory sandboxes and targeted measures to alleviate the regulatory burden on SMEs and start-ups.
Article 1 – paragraph 1 – point e b (new)(eb) rules for the establishment and functioning of the Union’s Artificial Intelligence Office (AI Office).“Establishment and functioning rules for the Union’s Artificial Intelligence Office (AI Office).”
Article 2
NumberingCommissionParliamentCouncilText proposed by the AI
Article 2 Article 2
Scope		Article 2
Scope		Article 2
Scope		None
Article 2 – paragraph 1 – introductory part 1.This Regulation applies to:1.This Regulation applies to:1. This Regulation applies to:None
Article 2 – paragraph 1 – point a(a) providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are established within the Union or in a third country;(a) providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are established within the Union or in a third country;(a) providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are physically present or established within the Union or in a third country;(a) providers placing on the market or putting into service AI systems in the Union, irrespective of whether those providers are established or physically present within the Union or in a third country;
Article 2 – paragraph 1 – point b(b) users of AI systems located within the Union;(b) deployers of AI systems that have their place of establishment or who are located within the Union;(b) users of AI systems who are physically present or established within the Union;(b) users and deployers of AI systems who have their place of establishment, are located, or are physically present within the Union;
Article 2 – paragraph 1 – point c
(c) providers and users of AI systems that are located in a third country, where the output produced by the system is used in the Union;(c) providers and deployers of AI systems that have their place of establishment or who are located in a third country, where either Member State law applies by virtue of a public international law or the output produced by the system is intended to be used in the Union;(c) providers and users of AI systems who are physically present or established in a third country, where the output produced by the system is used in the Union;(c) providers, deployers, and users of AI systems that have their place of establishment, are located or are physically present in a third country, where either Member State law applies by virtue of a public international law or the output produced by the system is intended to be used or is used in the Union;
Article 2 – paragraph 1 – point cb [P] / point d [C] (new)(cb) importers and distributors of AI systems as well as authorised representatives of providers of AI systems, where such importers, distributors or authorised representatives have their establishment or are located in the Union;(d) importers and distributors of AI systems;Importers and distributors of AI systems, as well as authorised representatives of providers of AI systems, where such importers, distributors or authorised representatives have their establishment or are located in the Union.
Article 2 – paragraph 1 – point e (new)(e) product manufacturers placing on the market or putting into service an AI system together with their product and under their own name or trademark;None
Article 2 – paragraph 1 – point f (new)(f) authorised representatives of providers, which are established in the Union;None
Article 2 – paragraph 1 – point ca (new)(ca) providers placing on the market or putting into service AI systems referred to in Article 5 outside the Union where the provider or distributor of such systems is located within the Union;Providers located within the Union, who are placing on the market or putting into service AI systems referred to in Article 5 outside the Union.
Article 2 – paragraph 1 – point cc / f (new)(cc) affected persons as defined in Article 3(8a) that are located in the Union and whose health, safety or fundamental rights are adversely impacted by the use of an AI system that is placed on the market or put into service within the Union.Affected individuals as per Article 3(8a), who are situated within the Union and whose health, safety, or fundamental rights are negatively affected by the deployment of an AI system that is introduced to the market or put into service within the Union.
Article 2 – paragraph 2 – introductory part2. For high-risk AI systems that are safety components of products or systems, or which are themselves products or systems, falling within the scope of the following acts, only Article 84 of this Regulation shall apply:2. For high-risk AI systems that are safety components of products or systems, or which are themselves products or systems and that fall, within the scope of harmonisation legislation listed in Annex II – Section B, only Article 84 of this Regulation shall apply;2. For AI systems classified as high-risk AI systems in accordance with Articles 6(1) and 6(2) related to products covered by Union harmonisation legislation listed in Annex II, section B only Article 84 of this Regulation shall apply. Article 53 shall apply only insofar as the requirements for high-risk AI systems under this Regulation have been integrated under that Union harmonisation legislation.2. For AI systems classified as high-risk AI systems in accordance with Articles 6(1) and 6(2), that are safety components of products or systems, or which are themselves products or systems, and that fall within the scope of Union harmonisation legislation listed in Annex II – Section B, only Article 84 of this Regulation shall apply. Article 53 shall apply only insofar as the requirements for high-risk AI systems under this Regulation have been integrated under that Union harmonisation legislation.
Article 2 – paragraph 2 – point a(a) Regulation (EC) 300/2008;deleteddeletedNone
Article 2 – paragraph 2 – point b(b) Regulation (EU) No 167/2013;deleteddeletedNone
Article 2 – paragraph 2 – point c(c) Regulation (EU) No 168/2013;deleteddeletedNone
Article 2 – paragraph 2 – point d(d) Directive 2014/90/EU;deleteddeletedNone
Article 2 – paragraph 2 – point e(e) Directive (EU) 2016/797;deleteddeletedNone
Article 2 – paragraph 2 – point f(f) Regulation (EU) 2018/858;deleteddeletedNone
Article 2 – paragraph 2 – point g(g) Regulation (EU) 2018/1139;deleteddeletedNone
Article 2 – paragraph 2 – point h(h) Regulation (EU) 2019/2144.deleteddeletedNone
Article 2 – paragraph 3This Regulation shall not apply to AI systems developed or used exclusively for military purposes.This Regulation shall not apply to AI systems developed or used exclusively for military purposes.3. This Regulation shall not apply to AI systems if and insofar placed on the market, put into service, or used with or without modification of such systems for the purpose of activities which fall outside the scope of Union law, and in any event activities concerning military, defence or national security, regardless of the type of entity carrying out those activities.

In addition, this Regulation shall not apply to AI systems which are not placed on the market or put into service in the Union, where the output is used in the Union for the purpose of activities which fall outside the scope of Union law, and in any event activities concerning military, defence or national security, regardless of the type of entity carrying out those activities.
This Regulation shall not apply to AI systems developed, placed on the market, put into service, or used, with or without modification, exclusively for military purposes or for activities concerning military, defence or national security, regardless of the type of entity carrying out those activities. This exclusion also applies to AI systems which are not placed on the market or put into service in the Union, where the output is used in the Union for the same purposes.
Article 2 – paragraph 4
4. This Regulation shall not apply to public authorities in a third country nor to international organisations falling within the scope of this Regulation pursuant to paragraph 1, where those authorities or organisations use AI systems in the framework of international agreements for law enforcement and judicial cooperation with the Union or with one or more Member States.4. This Regulation shall not apply to public authorities in a third country nor to international organisations falling within the scope of this Regulation pursuant to paragraph 1, where those authorities or organisations use AI systems in the framework of international cooperation or agreements for law enforcement and judicial cooperation with the Union or with one or more Member States and are subject of a decision of the Commission adopted in accordance with Article 36 of Directive (EU)2016/680 or Article 45 of Regulation 2016/679 (adequacy decision) or are part of an international agreement concluded between the Union and that third country or international organisation pursuant to Article 218 TFUE providing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals;4. This Regulation shall not apply to public authorities in a third country nor to international  organisations falling within the scope of this Regulation pursuant to paragraph 1, where  those authorities or organisations use AI systems in the framework of international  agreements for law enforcement and judicial cooperation with the Union or with one or  more Member States. 4. This Regulation shall not apply to public authorities in a third country nor to international organisations falling within the scope of this Regulation pursuant to paragraph 1, where those authorities or organisations use AI systems in the framework of international agreements or cooperation for law enforcement and judicial cooperation with the Union or with one or more Member States, and are subject of a decision of the Commission adopted in accordance with Article 36 of Directive (EU)2016/680 or Article 45 of Regulation 2016/679 (adequacy decision) or are part of an international agreement concluded between the Union and that third country or international organisation pursuant to Article 218 TFUE providing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals.
Article 2 – paragraph 5
This Regulation shall not affect the application of the provisions on the liability of intermediary service providers set out in Chapter II, Section IV of Directive 2000/31/EC of the European Parliament and of the Council60 [as to be replaced by the corresponding provisions of the Digital Services Act].


60. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).		This Regulation shall not affect the application of the provisions on the liability of intermediary service providers set out in Chapter II, Section IV of Directive 2000/31/EC of the European Parliament and of the Council60 [as to be replaced by the corresponding provisions of the Digital Services Act].


60. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).		5. This Regulation shall not affect the application of the provisions on the liability of  intermediary service providers set out in Chapter II, Section 4 of Directive 2000/31/EC of  the European Parliament and of the Council31 [as to be replaced by the corresponding  provisions of the Digital Services Act].


31. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).		This Regulation shall not affect the application of the provisions on the liability of intermediary service providers set out in Chapter II, Section IV (or 4) of Directive 2000/31/EC of the European Parliament and of the Council [as to be replaced by the corresponding provisions of the Digital Services Act].


Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).
Article 2 – paragraph 6 (new)6. This Regulation shall not apply to AI systems, including their output, specifically developed and put into service for the sole purpose of scientific research and development.This Regulation shall not apply to AI systems, including their output, that are specifically developed and put into service solely for the purpose of scientific research and development.
Article 2 – paragraph5a (new)5a. Union law on the protection of personal data, privacy and the confidentiality of communications applies to personal data processes in connection with the rights and obligations laid down in this Regulation. This Regulation shall not affect Regulations (EU) 2016/679 and (EU) 2018/1725 and Directives 2002/58/EC and (EU) 2016/680, without prejudice to arrangements provided for in Article 10(5) and Article 54 of this Regulation.;This Regulation shall uphold Union law on the protection of personal data, privacy, and the confidentiality of communications, specifically in relation to personal data processes associated with the rights and obligations established herein. This Regulation shall not impact Regulations (EU) 2016/679 and (EU) 2018/1725 and Directives 2002/58/EC and (EU) 2016/680, notwithstanding the provisions set out in Article 10(5) and Article 54 of this Regulation.
Article 2 – paragraph 7(new)7. This Regulation shall not apply to any research and development activity regarding AI systems.This Regulation shall not apply to any research and development activity related to AI systems.
Article 2 – paragraph 5b(new)5b. This Regulation is without prejudice to the rules laid down by other Union legal acts related to consumer protection and product safety;This Regulation is without prejudice to the rules established by other Union legal acts related to consumer protection and product safety.
Article 2 – paragraph 8 (new)8. This Regulation shall not apply to obligations of users who are natural persons using AI systems in the course of a purely personal non-professional activity, except Article 52.
This Regulation shall not apply to obligations of users who are natural persons using AI systems in the course of a purely personal non-professional activity, except Article 52.
Article 2 – paragraph 5c (new)5c. This regulation shall not preclude Member States or the Union from maintaining or introducing laws, regulations or administrative provisions which are more favourable to workers in terms of protecting their rights in respect of the use of AI systems by employers, or to encourage or allow the application of collective agreements which are more favourable to workers.This regulation shall not prevent Member States or the Union from maintaining or introducing laws, regulations or administrative provisions which are more favourable to workers in terms of protecting their rights in respect of the use of AI systems by employers, or to encourage or allow the application of collective agreements which are more favourable to workers.
Article 2 – paragraph 5d (new)5d. This Regulation shall not apply to research, testing and development activities regarding an AI system prior to this system being placed on the market or put into service, provided that these activities are conducted respecting fundamental rights and the applicable Union law. The testing in real world conditions shall not be covered by this exemption.The Commission is empowered to may adopt delegated acts in accordance with Article 73 that clarify the application of this paragraph to specify this exemption to prevent its existing and potential abuse. The AI Office shall provide guidance on the governance of research and development pursuant to Article 56, also aiming to coordinate its application by the national supervisory authorities;This Regulation shall not apply to research, testing, and development activities related to an AI system prior to its placement on the market or its entry into service, provided that these activities respect fundamental rights and comply with applicable Union law. However, testing in real-world conditions is not included in this exemption. The Commission is authorized to adopt delegated acts in accordance with Article 73 to clarify the application of this paragraph and specify this exemption to prevent its existing and potential abuse. The AI Office will provide guidance on the governance of research and development in accordance with Article 56, with the aim of coordinating its application by the national supervisory authorities.
Article 2 – paragraph 5e (new)5e. This Regulation shall not apply to AI components provided under free and open-source licences except to the extent they are placed on the market or put into service by a provider as part of a high-risk AI system or of an AI system that falls under Title II or IV. This exemption shall not apply to foundation models as defined in Art 3.This Regulation shall not apply to AI components provided under free and open-source licences, unless they are placed on the market or put into service by a provider as part of a high-risk AI system or of an AI system that falls under Title II or IV. However, this exemption shall not apply to foundation models as defined in Art 3.
Article 3
NumberingCommissionParliamentCouncilText proposed by the AI
Article 3Article 3
Definitions		Article 3
Definitions		Article 3
Definitions		None
Article 3 – introductory partFor the purpose of this Regulation, the following definitions apply:For the purpose of this Regulation, the following definitions apply:For the purpose of this Regulation, the following definitions apply:None
Article 3 – paragraph 1 – point 1(1) ‘artificial intelligence system’ (AI system) means software that is developed with one or more of the techniques and approaches listed in Annex I and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with;(1) ‘‘artificial intelligence system’ (AI system) means a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations, or decisions, that influence physical or virtual environments;(1) ‘artificial intelligence system’ (AI system) means a system that is designed to operate with elements of autonomy and that, based on machine and/or human-provided data and inputs, infers how to achieve a given set of objectives using machine learning and/or logic- and knowledge based approaches, and produces system-generated outputs such as content (generative AI systems), predictions, recommendations or decisions, influencing the environments with which the AI system interacts;(1) ‘artificial intelligence system’ (AI system) means a system that is developed with one or more of the techniques and approaches listed in Annex I, designed to operate with varying levels of autonomy, and can, for a given set of human-defined, explicit or implicit objectives, generate outputs such as content, predictions, recommendations, or decisions. These outputs, based on machine and/or human-provided data and inputs, influence the physical or virtual environments they interact with, using machine learning and/or logic- and knowledge-based approaches.
Article 3 – paragraph 1 – point 1a (new [C](1a) ‘life cycle of an AI system’ means the duration of an AI system, from design through retirement. Without prejudice to the powers of the market surveillance authorities, such retirement may happen at any point in time during the post-market monitoring phase upon the decision of the provider and implies that the system may not be used further. An AI system lifecycle is also ended by a substantial modification to the AI system made by the provider or any other natural or legal person, in which case the substantially modified AI system shall be considered as a new AI system.The life cycle of an AI system is defined as the duration of an AI system, from its design through to its retirement. This retirement can occur at any point during the post-market monitoring phase, based on the decision of the provider, and signifies that the system may not be used further. The life cycle of an AI system also concludes when a substantial modification is made to the AI system by the provider or any other natural or legal person. In such cases, the substantially modified AI system is considered as a new AI system. This definition does not infringe upon the powers of the market surveillance authorities.
Article 3 – paragraph 1 – point 1a (new) [P](1a) ‘risk’ means the combination of the probability of an occurrence of  harm and the severity of that harm;Risk’ is defined as the combination of the likelihood of an occurrence of harm and the severity of that harm.
Article 3 – paragraph 1 – point 1b [C] / point 1d [P] (new)(1d) ‘general purpose AI system’ means an AI system that can be used in and adapted to a wide range of applications for which it was not intentionally and specifically designed;(1b) ‘general purpose AI system’ means an AI system that – irrespective of how it is placed on the market or put into service, including as open source software – is intended by the provider to perform generally applicable functions such as image and speech recognition, audio and video generation, pattern detection, question answering, translation and others; a general purpose AI system may be used in a plurality of contexts and be integrated in a plurality of other AI systems;‘General purpose AI system’ means an AI system that, irrespective of how it is placed on the market or put into service, including as open source software, is intended by the provider to perform generally applicable functions such as image and speech recognition, audio and video generation, pattern detection, question answering, translation and others. This system can be used in and adapted to a wide range of applications for which it was not intentionally and specifically designed. A general purpose AI system may be used in a plurality of contexts and be integrated in a plurality of other AI systems.
Article 3 – paragraph 1 – point 1b (new)(1b) ‘significant risk’ means a risk that is significant as a result of the combination of its severity, intensity, probability of occurrence, and duration of its effects, and its the ability to affect an individual, a plurality of persons or to affect a particular group of persons;Significant risk’ is defined as a risk that becomes significant due to the combination of its severity, intensity, likelihood of occurrence, and the duration of its effects. It also includes its capacity to impact an individual, multiple individuals, or a specific group of individuals.
Article 3 – paragraph 1 – point 1c (new)(1c) ‘foundation model’ means an AI system model that is trained on broad data at scale, is designed for generality of output, and can be adapted to a wide range of distinctive tasks;Foundation model’ is defined as an AI system model that is trained on a broad scale of data, designed for generality of output, and can be adapted to a wide range of distinctive tasks.
Article 3 – paragraph 1 – point 1e (new)(1e) ‘large training runs’ means the production process of a powerful AI model that require computing resources above a very high threshold;Large training runs’ is defined as the production process of a highly powerful AI model that necessitates the use of computing resources exceeding a significantly high threshold.
Article 3 – paragraph 1 – point 2(2) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or that has an AI system developed with a view to placing it on the market or putting it into service under its own name or trademark, whether for payment or free of charge;(2) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or that has an AI system developed with a view to placing it on the market or putting it into service under its own name or trademark, whether for payment or free of charge;(2) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or that has an AI system developed and places that system on the market or puts it into service under its own name or trademark, whether for payment or free of charge;(2) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or that has an AI system developed with a view to placing it on the market or putting it into service under its own name or trademark, and places that system on the market or puts it into service, whether for payment or free of charge;
Article 3 – paragraph 1 – point 3(3) ‘small-scale provider’ means a provider that is a micro or small enterprise within the meaning of Commission Recommendation 2003/361/EC61 ;
__________________

61 Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).		deleteddeletedNone
Article 3 – paragraph 1 – point 3a (new)(3a) ‘small and medium-sized enterprise’ (SMEs) means an enterprise as defined in the Annex of Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises;(3a) ‘small and medium-sized enterprise’ (SMEs) is defined as an enterprise in accordance with the Annex of Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises.
Article 3 – paragraph 1 – point 4(4) ‘user’ means any natural or legal person, public authority, agency or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity;(4) ‘deployer  means any natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity;(4) ‘user’ means any natural or legal person, including a public authority, agency or other  body, under whose authority the system is used; (4) ‘user’ or ‘deployer’ means any natural or legal person, public authority, agency or other body, including a public authority, agency or other body, using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity;
Article 3 – paragraph 1 – point 5(5) ‘authorised representative’ means any natural or legal person established in the Union who has received a written mandate from a provider of an AI system to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation;(5) ‘authorised representative’ means any natural or legal person established in the Union who has received a written mandate from a provider of an AI system to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation;(5) ‘authorised representative’ means any natural or legal person physically present or established in the Union who has received and accepted a written mandate from a provider of an AI system to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation;(5) ‘authorised representative’ means any natural or legal person established and physically present in the Union who has received and accepted a written mandate from a provider of an AI system to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation;
Article 3 – paragraph 1 – point 5a (new)(5a) ‘product manufacturer’ means a manufacturer within the meaning of any of the Union harmonisation legislation listed in Annex II(5a) ‘product manufacturer’ refers to a manufacturer as defined by any of the Union harmonisation legislation listed in Annex II.
Article 3 – paragraph 1 – point 6(6)‘importer’ means any natural or legal person established in the Union that places on the market or puts into service an AI system that bears the name or trademark of a natural or legal person established outside the Union;(6)‘importer’ means any natural or legal person established in the Union that places on the market or puts into service an AI system that bears the name or trademark of a natural or legal person established outside the Union;(6) ‘importer’ means any natural or legal person physically present or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established outside the Union(6) ‘importer’ means any natural or legal person established or physically present in the Union that places on the market or puts into service an AI system that bears the name or trademark of a natural or legal person established outside the Union;
Article 3 – paragraph 1 – point 7(7)‘distributor’ means any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market without affecting its properties;(7)‘distributor’ means any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market without affecting its properties;(7) ‘distributor’ means any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market;(7) ‘distributor’ means any natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market;
Article 3 – paragraph 1 – point 8(8) ‘operator’ means the provider, the user, the authorised representative, the importer and the distributor;(8) ‘operator’ means the provider, the deployer, the authorised representative, the importer and the distributor;(8) ‘operator’ means the provider, the product manufacturer, the user, the authorised representative, the importer or the distributor;(8) ‘operator’ means the provider, the user, the deployer, the product manufacturer, the authorised representative, the importer and the distributor;
Article 3 – paragraph 1 – point 8a (new)(8a) ‘affected person’ means any natural person or group of persons who are subject to or otherwise affected by an AI system;Affected person’ is defined as any natural person or group of persons who are subject to or otherwise impacted by an AI system.
Article 3 – paragraph 1 – point 9(9)‘placing on the market’ means the first making available of an AI system on the Union market;(9)‘placing on the market’ means the first making available of an AI system on the Union market;(9) ‘placing on the market’ means the first making available of an AI system on the Union market;(9) ‘placing on the market’ means the first making available of an AI system on the Union market;
Article 3 – paragraph 1 – point 10(10)‘making available on the market’ means any supply of an AI system for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;(10)‘making available on the market’ means any supply of an AI system for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;(10) ‘making available on the market’ means any supply of an AI system for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;(10) ‘making available on the market’ means any supply of an AI system for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
Article 3 – paragraph 1 – point 11(11) ‘putting into service’ means the supply of an AI system for first use directly to the user or for own use on the Union market for its intended purpose;(11) ‘putting into service’ means the supply of an AI system for first use directly to the deployer or for own use on the Union market for its intended purpose;(11) ‘putting into service’ means the supply of an AI system for first use directly to the user or for own use in the Union for its intended purpose;(11) ‘putting into service’ means the supply of an AI system for first use directly to the user or deployer or for own use on the Union market or in the Union for its intended purpose;
Article 3 – paragraph 1 – point 12(12)‘intended purpose’ means the use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;(12)‘intended purpose’ means the use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;(12) ‘intended purpose’ means the use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;(12) ‘intended purpose’ means the use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation;
Article 3 – paragraph 1 – point 13(13) ‘reasonably foreseeable misuse’ means the use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;(13) ‘reasonably foreseeable misuse’ means the use of an AI system in a way that is not in accordance with its intended purpose as indicated in instructions for use established by the provider, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systems;(13) ‘reasonably foreseeable misuse’ means the use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems;(13) ‘reasonably foreseeable misuse’ means the use of an AI system in a way that is not in accordance with its intended purpose as indicated in instructions for use established by the provider, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systems;
Article 3 – paragraph 1 – point 14(14) ‘safety component of a product or system’ means a component of a product or of a system which fulfils a safety function for that product or system or the failure or malfunctioning of which endangers the health and safety of persons or property(14) ‘safety component of a product or system’ means, in line with Union harmonisation law listed in Annex II, a component of a product or of a system which fulfils a safety function for that product or system, or the failure or malfunctioning of which endangers the health and safety of persons;(14) ‘safety component of a product or system’ means a component of a product or of a system which fulfils a safety function for that product or system or the failure or malfunctioning of which endangers the health and safety of persons or property;(14) ‘safety component of a product or system’ means, in line with Union harmonisation law listed in Annex II, a component of a product or of a system which fulfils a safety function for that product or system, or the failure or malfunctioning of which endangers the health and safety of persons or property;
Article 3 – paragraph 1 – point 15(15) ‘instructions for use’ means the information provided by the provider to inform the user of in particular an AI system’s intended purpose and proper use, inclusive of the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to be used;(15) ‘instructions for use’ means the information provided by the provider to inform the deployer  of in particular an AI system’s intended purpose and proper use, as well as information on any precautions to be taken; inclusive of the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to be used;(15) ‘instructions for use’ means the information provided by the provider to inform the user of in particular an AI system’s intended purpose and proper use;(15) ‘instructions for use’ means the information provided by the provider to inform the user or deployer of in particular an AI system’s intended purpose and proper use, as well as information on any precautions to be taken; inclusive of the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to be used;
Article 3 – paragraph 1 – point 16(16) ‘recall of an AI system’ means any measure aimed at achieving the return to the provider of an AI system made available to users;(16) ‘recall of an AI system’ means any measure aimed at achieving the return to the provider of an AI system that has been made available to deployers;(16) ‘recall of an AI system’ means any measure aimed at achieving the return to the provider or taking it out of service or disabling the use of an AI system made available to users;(16) ‘recall of an AI system’ means any measure aimed at achieving the return to the provider, taking it out of service, or disabling the use of an AI system that has been made available to users or deployers;
Article 3 – paragraph 1 – point 17(17)‘withdrawal of an AI system’ means any measure aimed at preventing the distribution, display and offer of an AI system;(17)‘withdrawal of an AI system’ means any measure aimed at preventing the distribution, display and offer of an AI system;(17) ‘withdrawal of an AI system’ means any measure aimed at preventing an AI system in the supply chain being made available on the market;(17) ‘withdrawal of an AI system’ means any measure aimed at preventing the distribution, display, offer of an AI system, and its availability on the market in the supply chain;
Article 3 – paragraph 1 – point 18(18)‘performance of an AI system’ means the ability of an AI system to achieve its intended purpose;(18)‘performance of an AI system’ means the ability of an AI system to achieve its intended purpose;(18) ‘performance of an AI system’ means the ability of an AI system to achieve its intended purpose;(18) ‘performance of an AI system’ means the ability of an AI system to achieve its intended purpose;
Article 3 – paragraph 1 – point 19(19)‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;(19) ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;(20) ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;(19) ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring;
Article 3 – paragraph 1 – point 20(20) ‘conformity assessment’ means the process of verifying whether the requirements set out in Title III, Chapter 2 of this Regulation relating to an AI system have been fulfilled;(20) ‘conformity assessment’ means the process of demonstrating whether the requirements set out in Title III, Chapter 2 of this Regulation relating to an AI system have been fulfilled;(19) ‘conformity assessment’ means the process of verifying whether the requirements set out in Title III, Chapter 2 of this Regulation relating to a high-risk AI system have been fulfilled;(20) ‘conformity assessment’ means the process of verifying and demonstrating whether the requirements set out in Title III, Chapter 2 of this Regulation relating to an AI system or a high-risk AI system have been fulfilled;
Article 3 – paragraph 1 – point 21(21)‘conformity assessment body’ means a body that performs third-party conformity assessment activities, including testing, certification and inspection;(21)‘conformity assessment body’ means a body that performs third-party conformity assessment activities, including testing, certification and inspection;(21) ‘conformity assessment body’ means a body that performs third-party conformity assessment activities, including testing, certification and inspection;(21) ‘conformity assessment body’ means a body that performs third-party conformity assessment activities, including testing, certification and inspection;
Article 3 – paragraph 1 – point 22(22) ‘notified body’ means a conformity assessment body designated in accordance with this Regulation and other relevant Union harmonisation legislation;(22) ‘notified body’ means a conformity assessment body notified in accordance with this Regulation and other relevant Union harmonisation legislation;(22) ‘notified body’ means a conformity assessment body designated in accordance with this Regulation and other relevant Union harmonisation legislation;(22) ‘notified body’ means a conformity assessment body designated and notified in accordance with this Regulation and other relevant Union harmonisation legislation;
Article 3 – paragraph 1 – point 23(23) ‘substantial modification’ means a change to the AI system following its placing on the market or putting into service which affects the compliance of the AI system with the requirements set out in Title III, Chapter 2 of this Regulation or results in a modification to the intended purpose for which the AI system has been assessed;(23) ‘substantial modification’ means a modification or a series of modifications of the AI system after its placing on the market or putting into service which is not foreseen or planned in the initial risk assessment by the provider and as a result of which the compliance of the AI system with the requirements set out in Title III, Chapter 2 of this Regulation is affected or results in a modification to the intended purpose for which the AI system has been assessed;(23) ‘substantial modification’ means a change to the AI system following its placing on the market or putting into service which affects the compliance of the AI system with the requirements set out in Title III, Chapter 2 of this Regulation, or a modification to the intended purpose for which the AI system has been assessed. For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the highrisk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification.(23) ‘substantial modification’ means a change or a series of modifications to the AI system following its placing on the market or putting into service, which is not foreseen or planned in the initial risk assessment by the provider, and which affects the compliance of the AI system with the requirements set out in Title III, Chapter 2 of this Regulation, or results in a modification to the intended purpose for which the AI system has been assessed. For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification.
Article 3 – paragraph 1 – point 24(24) ‘CE marking of conformity’ (CE marking) means a marking by which a provider indicates that an AI system is in conformity with the requirements set out in Title III, Chapter 2 of this Regulation and other applicable Union legislation harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing;(24) ‘CE marking of conformity’ (CE marking) means a physical or digital marking by which a provider indicates that an AI system or a product with an embedded AI system is in conformity with the requirements set out in Title III, Chapter 2 of this Regulation and other applicable Union legislation harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing;(24) ‘CE marking of conformity’ (CE marking) means a marking by which a provider indicates that an AI system is in conformity with the requirements set out in Title III, Chapter 2 or in Article 4b of this Regulation and other applicable Union legal act harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing;(24) ‘CE marking of conformity’ (CE marking) means a physical or digital marking by which a provider indicates that an AI system or a product with an embedded AI system is in conformity with the requirements set out in Title III, Chapter 2 or in Article 4b of this Regulation and other applicable Union legislation or Union legal act harmonising the conditions for the marketing of products (‘Union harmonisation legislation’) providing for its affixing;
Article 3 – paragraph 1 – point 25(25)‘post-market monitoring’ means all activities carried out by providers of AI systems to proactively collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions;(25)‘post-market monitoring’ means all activities carried out by providers of AI systems to proactively collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions;(25) ‘post-market monitoring system’ means all activities carried out by providers of AI systems to collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions;(25) ‘post-market monitoring’ refers to all activities conducted by providers of AI systems to proactively and systematically collect and review experience gained from the use of AI systems they place on the market or put into service, with the aim of identifying any need to immediately apply any necessary corrective or preventive actions;
Article 3 – paragraph 1 – point 26(26)‘market surveillance authority’ means the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020;(26)‘market surveillance authority’ means the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020;(26) ‘market surveillance authority’ means the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020;(26) ‘market surveillance authority’ means the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020;
Article 3 – paragraph 1 – point 27(27)‘harmonised standard’ means a European standard as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012;(27)‘harmonised standard’ means a European standard as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012;(27) ‘harmonised standard’ means a European standard as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012;(27) ‘harmonised standard’ means a European standard as defined in Article 2(1)(c) of Regulation (EU) No 1025/2012;
Article 3 – paragraph 1 – point 28(28)‘common specifications’ means a document, other than a standard, containing technical solutions providing a means to, comply with certain requirements and obligations established under this Regulation;(28)‘common specifications’ means a document, other than a standard, containing technical solutions providing a means to, comply with certain requirements and obligations established under this Regulation;(28) ‘common specification’ means a set of technical specifications, as defined in point 4 of Article 2 of Regulation (EU) No 1025/2012 providing means to comply with certain requirements established under this Regulation;(28) ‘common specifications’ means a document or a set of technical specifications, other than a standard, as defined in point 4 of Article 2 of Regulation (EU) No 1025/2012, containing technical solutions providing a means to comply with certain requirements and obligations established under this Regulation.
Article 3 – paragraph 1 – point 29(29) ‘training data’ means data used for training an AI system through fitting its learnable parameters, including the weights of a neural network;(29) ‘training data’ means data used for training an AI system through fitting its learnable parameters;(29) ‘training data’ means data used for training an AI system through fitting its learnable parameters;(29) ‘training data’ means data used for training an AI system through fitting its learnable parameters, including the weights of a neural network;
Article 3 – paragraph 1 – point 30(30) ‘validation data’ means data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process, among other things, in order to prevent overfitting; whereas the validation dataset can be a separate dataset or part of the training dataset, either as a fixed or variable split;(30) ‘validation data’ means data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process, among other things, in order to prevent underfitting or overfitting; whereas the validation dataset is a separate dataset or part of the training dataset, either as a fixed or variable split;(30) ‘validation data’ means data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process, among other things, in order to prevent overfitting; whereas the validation dataset can be a separate dataset or part of the training dataset, either as a fixed or variable split;(30) ‘validation data’ means data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process, among other things, in order to prevent underfitting or overfitting; whereas the validation dataset can be a separate dataset or part of the training dataset, either as a fixed or variable split;
Article 3 – paragraph 1 – point 31(31)‘testing data’ means data used for providing an independent evaluation of the trained and validated AI system in order to confirm the expected performance of that system before its placing on the market or putting into service;(31)‘testing data’ means data used for providing an independent evaluation of the trained and validated AI system in order to confirm the expected performance of that system before its placing on the market or putting into service;(31) ‘testing data’ means data used for providing an independent evaluation of the trained and validated AI system in order to confirm the expected performance of that system before its placing on the market or putting into service;(31) ‘testing data’ means data used for providing an independent evaluation of the trained and validated AI system in order to confirm the expected performance of that system before its placing on the market or putting into service;
Article 3 – paragraph 1 – point 32(32)‘input data’ means data provided to or directly acquired by an AI system on the basis of which the system produces an output;(32)‘input data’ means data provided to or directly acquired by an AI system on the basis of which the system produces an output;(32) ‘input data’ means data provided to or directly acquired by an AI system on the basis of which the system produces an output;(32) ‘input data’ means data provided to or directly acquired by an AI system on the basis of which the system produces an output;
Article 3 – paragraph 1 – point 33(33) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;(33) ‘biometric data’ means biometric data as defined in Article 4, point (14) of Regulation (EU) 2016/679;(33) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data;(33) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data, as defined in Article 4, point (14) of Regulation (EU) 2016/679;
Article 3 – paragraph 1 – point 33a (new)(33a) ‘biometric-based data’ means data resulting from specific technical processing relating to physical, physiological or behavioural signals of a natural person;Biometric-based data’ is defined as data derived from specific technical processing related to the physical, physiological or behavioural signals of a natural person.
Article 3 – paragraph 1 – point 33b (new)(33b) ‘biometric identification’ means the automated recognition of physical, physiological, behavioural, and psychological human features for the purpose of establishing an individual’s identity by comparing biometric data of that individual to stored biometric data of individuals in a database (one-to-many identification);Biometric identification’ is defined as the automated recognition of physical, physiological, behavioural, and psychological human features. This process is used for the purpose of establishing an individual’s identity by comparing biometric data of that individual to stored biometric data of individuals in a database, also known as one-to-many identification.
Article 3 – paragraph 1 – point 33c (new)(33c) ‘biometric verification’ means the automated verification of the identity of natural persons  by comparing biometric data of an individual to previously provided biometric data (one-to-one verification, including authentication);Biometric verification’ is defined as the automated process of verifying the identity of natural persons by comparing an individual’s biometric data to previously provided biometric data. This process involves one-to-one verification, including authentication.
Article 3 – paragraph 1 – point 33d (new)(33d) ‘special categories of personal data’ means the categories of personal data referred to in Article 9(1) of Regulation (EU)2016/679;Special categories of personal data’ shall refer to the categories of personal data as outlined in Article 9(1) of Regulation (EU) 2016/679.
Article 3 – paragraph 1 – point 34(34) ‘emotion recognition system’ means an AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data;(34) ‘emotion recognition system’ means an AI system for the purpose of identifying or inferring emotions, thoughts, states of mind or intentions of individuals or groups on the basis of their biometric and biometric-based data;(34) ‘emotion recognition system’ means an AI system for the purpose of identifying or inferring psychological states, emotions or intentions of natural persons on the basis of their biometric data;(34) ‘emotion recognition system’ means an AI system for the purpose of identifying or inferring psychological states, emotions, thoughts, states of mind or intentions of natural persons, individuals or groups on the basis of their biometric and biometric-based data;
Article 3 – paragraph 1 – point 35(35) ‘biometric categorisation system’ means an AI system for the purpose of assigning natural persons to specific categories, such as sex, age, hair colour, eye colour, tattoos, ethnic origin or sexual or political orientation, on the basis of their biometric data;(35) ‘biometric categorisation means assigning natural persons to specific categories, or inferring their characteristics and attributes on the basis of their biometric or biometric-based data, or which can be inferred from such data;(35) ‘biometric categorisation system’ means an AI system for the purpose of assigning natural persons to specific categories on the basis of their biometric data;(35) ‘biometric categorisation system’ means an AI system for the purpose of assigning natural persons to specific categories, or inferring their characteristics and attributes, such as sex, age, hair colour, eye colour, tattoos, ethnic origin or sexual or political orientation, on the basis of their biometric or biometric-based data, or which can be inferred from such data.
Article 3 – paragraph 1 – point 36(36) ‘remote biometric identification system’ means an AI system for the purpose of identifying natural persons at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database, and without prior knowledge of the user of the AI system whether the person will be present and can be identified ;(36) ‘remote biometric identification system’ means an AI system for the purpose of identifying natural persons at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database, and without prior knowledge of the deployer of the AI system whether the person will be present and can be identified, excluding verification systems;(36) ‘remote biometric identification system’ means an AI system for the purpose of identifying natural persons typically at a distance, without their active involvement, through the comparison of a person’s biometric data with the biometric data contained in a reference data repository;(36) ‘remote biometric identification system’ means an AI system for the purpose of identifying natural persons typically at a distance, without their active involvement and without prior knowledge of the user or deployer of the AI system whether the person will be present and can be identified, through the comparison of a person’s biometric data with the biometric data contained in a reference database or data repository, excluding verification systems.
Article 3 – paragraph 1 – point 37(37) ‘‘real-time’ remote biometric identification system’ means a remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay. This comprises not only instant identification, but also limited short delays in order to avoid circumvention.(37) ‘‘real-time’ remote biometric identification system’ means a remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay. This comprises not only instant identification, but also limited delays in order to avoid circumvention;(37) ‘‘real-time’ remote biometric identification system’ means a remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur instantaneously or near instantaneously;(37) ‘‘real-time’ remote biometric identification system’ means a remote biometric identification system whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay, instantaneously or near instantaneously. This comprises not only instant identification, but also includes limited short delays in order to avoid circumvention.
Article 3 – paragraph 1 – point 38(38)‘‘post’ remote biometric identification system’ means a remote biometric identification system other than a ‘real-time’ remote biometric identification system;(38)‘‘post’ remote biometric identification system’ means a remote biometric identification system other than a ‘real-time’ remote biometric identification system;deletedNone
Article 3 – paragraph 1 – point 39(39) ‘publicly accessible space’ means any physical place accessible to the public, regardless of whether certain conditions for access may apply;(39) ‘publicly accessible space’ means any publicly or privately owned physical place accessible to the public, regardless of whether certain conditions for access may apply, and regardless of the potential capacity restrictions;(39) ‘publicly accessible space’ means any publicly or privately owned physical place accessible to an undetermined number of natural persons regardless of whether certain conditions or circumstances for access have been predetermined, and regardless of the potential capacity restrictions;(39) ‘publicly accessible space’ means any publicly or privately owned physical place accessible to the public or an undetermined number of natural persons, regardless of whether certain conditions or circumstances for access may apply or have been predetermined, and regardless of the potential capacity restrictions.
Article 3 – paragraph 1 – point 40(40)‘law enforcement authority’ means:

(a)any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or

(b)any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;		(40)‘law enforcement authority’ means:

(a)any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or

(b)any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;		(40) ‘law enforcement authority’ means:

(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or

(b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;		(40) ‘law enforcement authority’ means:

(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or

(b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
Article 3 – paragraph 1 – point 41(41) ‘law enforcement’ means activities carried out by law enforcement authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;(41) ‘law enforcement’ means activities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;(41) ‘law enforcement’ means activities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;(41) ‘law enforcement’ means activities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
Article 3 – paragraph 1 – point 42(42) ‘national supervisory authority’ means the authority to which a Member State assigns the responsibility for the implementation and application of this Regulation, for coordinating the activities entrusted to that Member State, for acting as the single contact point for the Commission, and for representing the Member State at the European Artificial Intelligence Board;(42) ‘national supervisory authority’ means a public (AM 69) authority to which a Member State assigns the responsibility for the implementation and application of this Regulation, for coordinating the activities entrusted to that Member State, for acting as the single contact point for the Commission, and for representing the Member State in the management Board of the AI Office;deleted(42) ‘national supervisory authority’ means a public authority to which a Member State assigns the responsibility for the implementation and application of this Regulation, for coordinating the activities entrusted to that Member State, for acting as the single contact point for the Commission, and for representing the Member State at the European Artificial Intelligence Board.
Article 3 – paragraph 1 – point 43(43) ‘national competent authority’ means the national supervisory authority, the notifying authority and the market surveillance authority;(43) ‘national competent authority’ means any of the national authorities which are responsible for the enforcement of this Regulation;(43) ‘national competent authority’ means any of the following: the notifying authority and the market surveillance authority. As regards AI systems put into service or used by EU institutions, agencies, offices and bodies, the European Data Protection Supervisor shall fulfil the responsibilities that in the Member States are entrusted to the national competent authority and, as relevant, any reference to national competent authorities or market surveillance authorities in this Regulation shall be understood as referring to the European Data Protection Supervisor;(43) ‘national competent authority’ means any of the national authorities, including the national supervisory authority, the notifying authority, and the market surveillance authority, which are responsible for the enforcement of this Regulation. As regards AI systems put into service or used by EU institutions, agencies, offices and bodies, the European Data Protection Supervisor shall fulfil the responsibilities that in the Member States are entrusted to the national competent authority and, as relevant, any reference to national competent authorities or market surveillance authorities in this Regulation shall be understood as referring to the European Data Protection Supervisor.
Article 3 – paragraph 1 – point 44 (44) ‘serious incident’ means any incident that directly or indirectly leads, might have led or might lead to any of the following:
(a) the death of a person or serious damage to a person’s health, to property or the environment,
(b) a serious disruption of the management and operation of critical infrastructure.

(44) ‘serious incident’ means any incident or malfunctioning of an AI system that directly or indirectly leads, might have led or might lead to any of the following:
(a) the death of a person or serious damage to a person’s health,
(b) a serious disruption of the management and operation of critical infrastructure,
(ba) a breach of fundamental rights protected under Union law,
(bb) serious damage to property or the environment.

(44) ‘serious incident’ means any incident or malfunctioning of an AI system that directly or indirectly leads to any of the following:
(a) the death of a person or serious damage to a person’s health;
(b) a serious and irreversible disruption of the management and operation of critical
infrastructure;
(c) breach of obligations under Union law intended to protect fundamental rights;
(d) serious damage to property or the environment.
(44) ‘serious incident’ means any incident or malfunctioning of an AI system that directly or indirectly leads, might have led or might lead to any of the following:
(a) the death of a person or serious damage to a person’s health, to property or the environment,
(b) a serious and potentially irreversible disruption of the management and operation of critical infrastructure,
(c) a breach of obligations or fundamental rights protected under Union law,
(d) serious damage to property or the environment.
Article 3 – paragraph 1 – point 45 [C] / point 44h [P] (new)(44h) ‘critical infrastructure’ means an asset, a facility, equipment, a network or a system, or a part of an asset, a facility, equipment, a network or a system, which is necessary for the provision of an essential service within the meaning of Article 2(4) of Directive (EU) 2022/2557;(45) ‘critical infrastructure’ means an asset, system or part thereof which is necessary for the delivery of a service that is essential for the maintenance of vital societal functions or economic activities within the meaning of Article 2(4) and (5) of Directive …../….. on the resilience of critical entities;Critical infrastructure’ means an asset, a facility, equipment, a network or a system, or a part thereof, which is necessary for the provision and delivery of a service that is essential for the maintenance of vital societal functions or economic activities within the meaning of Article 2(4) and (5) of Directive (EU) 2022/2557 on the resilience of critical entities.
Article 3 – paragraph 1 – point 46 [C] / point 44a [P] (new)(44a) ‘personal data’ means personal data as defined in Article 4, point (1) of Regulation (EU)2016/679;(46) ‘personal data’ means data as defined in point (1) of Article 4 of Regulation (EU) 2016/679;Personal data’ means data as defined in Article 4, point (1) of Regulation (EU) 2016/679.
Article 3 – paragraph 1 – point 47 [C] / point 44b [P] (new)(44b) ‘non-personal data’ means data other than personal data;(47) ‘non-personal data’ means data other than personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679;Non-personal data’ refers to data that is not classified as personal data, as defined in point (1) of Article 4 of Regulation (EU) 2016/679.
Article 3 – paragraph 1 – point 44c (new)(44c) ‘profiling’ means any form of automated processing of personal data as defined in point (4) of Article 4 of Regulation (EU) 2016/679; or in the case of law enforcement authorities – in point 4 of Article 3 of Directive (EU) 2016/680 or, in the case of Union institutions, bodies, offices or agencies, in point 5 Article 3 of Regulation (EU) 2018/1725;Profiling’ refers to any form of automated processing of personal data as defined in point (4) of Article 4 of Regulation (EU) 2016/679. This definition also applies to law enforcement authorities as specified in point 4 of Article 3 of Directive (EU) 2016/680 and to Union institutions, bodies, offices or agencies as outlined in point 5 Article 3 of Regulation (EU) 2018/1725.
Article 3 – paragraph 1 – point 48 [C] / point 44n [P] (new)(44n) ‘testing in real world conditions’ means the temporary testing of an AI system for its intended purpose in real world conditions outside of a laboratory or otherwise simulated environment;(48) ‘testing in real world conditions’ means the temporary testing of an AI system for its intended purpose in real world conditions outside of a laboratory or otherwise simulated environment with a view to gathering reliable and robust data and to assessing and verifying the conformity of the AI system with the requirements of this Regulation; testing in real world conditions shall not be considered as placing the AI system on the market or putting it into service within the meaning of this Regulation, provided that all conditions under Article 53 or Article 54a are fulfilled;Testing in real world conditions’ means the temporary testing of an AI system for its intended purpose in real world conditions outside of a laboratory or otherwise simulated environment, with the aim of gathering reliable and robust data and assessing and verifying the conformity of the AI system with the requirements of this Regulation. This testing in real world conditions shall not be considered as placing the AI system on the market or putting it into service within the meaning of this Regulation, provided that all conditions under Article 53 or Article 54a are fulfilled.
Article 3 – paragraph 1 – point 44d (new)(44d) “deep fake” means manipulated or synthetic audio, image or video content that would falsely appear to be authentic or truthful, and which features depictions of persons appearing to say or do things they did not say or do, produced using AI techniques, including machine learning and deep learning;“Deep fake” refers to manipulated or synthetic audio, image or video content that falsely appears to be authentic or truthful. It features depictions of individuals appearing to say or do things they did not actually say or do. This content is produced using AI techniques, including but not limited to machine learning and deep learning.
Article 3 – paragraph 1 – point 49 (new)(49) ‘real world testing plan’ means a document that describes the objectives, methodology, geographical, population and temporal scope, monitoring, organisation and conduct of testing in real world conditions;real world testing plan’ is defined as a document outlining the objectives, methodology, geographical, population and temporal scope, monitoring, organization, and conduct of testing in real world conditions.
Article 3 – paragraph 1 – point 44e (new)(44e) ‘widespread infringement’ means any act or omission contrary to Union law that protects the interest of individuals:
(a) which has harmed or is likely to harm the collective interests of individuals residing in at least two Member States other than the Member State, in which:
(i) the act or omission originated or took place;
(ii) the provider concerned, or, where applicable, its authorised representative is established; or,
(iii) the deployer is established, when the infringement is committed by the deployer;
(b) which protects the interests of individuals, that have caused, cause or are likely to cause harm to the collective interests of individuals and that have common features, including the same unlawful practice, the same interest being infringed and that are occurring concurrently, committed by the same operator, in at least three Member States;		Widespread infringement’ is defined as any act or omission that is contrary to Union law, which is designed to protect the interests of individuals. This infringement:

(a) Has caused harm or is likely to cause harm to the collective interests of individuals residing in at least two Member States, excluding the Member State where:
(i) The act or omission originated or occurred;
(ii) The provider involved, or its authorized representative, is established; or,
(iii) The deployer is established, in cases where the infringement is committed by the deployer.

(b) Protects the interests of individuals and has caused, is causing, or is likely to cause harm to the collective interests of individuals. These infringements share common characteristics, such as the same unlawful practice, the same interest being infringed upon, and are occurring concurrently. They are committed by the same operator in at least three Member States.
Article 3 – paragraph 1 – point 44f (new)(44f) ‘widespread infringement with a Union dimension’ means a widespread infringement that has harmed or is likely to harm the collective interests of individuals in at least two-thirds of the Member States, accounting, together, for at least two-thirds of the population of the Union;Widespread infringement with a Union dimension’ is defined as a widespread infringement that has caused or has the potential to cause harm to the collective interests of individuals in a minimum of two-thirds of the Member States, collectively representing at least two-thirds of the total population of the Union.
Article 3 – paragraph 1 – point 50 (new)(50) ‘subject’ for the purpose of real world testing means a natural person who participates in testing in real world conditions;For the purpose of real world testing, a ‘subject’ is defined as a natural person who participates in testing under real world conditions.
Article 3 – paragraph 1 – point 51 (new)(51) ‘informed consent’ means a subject’s free and voluntary expression of his or her willingness to participate in a particular testing in real world conditions, after having been informed of all aspects of the testing that are relevant to the subject’s decision to participate; in the case of minors and of incapacitated subjects, the informed consent shall be given by their legally designated representative;Informed consent’ is defined as the free and voluntary expression of a subject’s willingness to participate in a particular real-world condition testing, after being fully informed of all relevant aspects of the testing that could influence their decision to participate. In situations involving minors or incapacitated subjects, the informed consent should be provided by their legally designated representative.
Article 3 – paragraph 1 – point 52 [C] / 44g [P] (new)(44g) ‘regulatory sandbox’ means a controlled environment established by a public authority that facilitates the safe development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan under regulatory supervision;(52) ‘AI regulatory sandbox’ means a concrete framework set up by a national competent authority which offers providers or prospective providers of AI systems the possibility to develop, train, validate and test, where appropriate in real world conditions, an innovative AI system, pursuant to a specific plan for a limited time under regulatory supervision.AI Regulatory Sandbox’ means a controlled and concrete framework established by a national competent public authority, which facilitates and offers providers or prospective providers the safe and appropriate opportunity to develop, train, validate, and test innovative AI systems, where appropriate in real world conditions, for a limited time before their placement on the market or putting into service pursuant to a specific plan under regulatory supervision.
Article 3 – paragraph 1 – point 44k (new)(44k) ‘social scoring’ means evaluating or classifying natural persons based on their social behaviour, socio-economic status or known or predicted personal or personality characteristics;Social scoring’ is defined as the process of evaluating or classifying natural persons based on their social behaviour, socio-economic status, or known or predicted personal or personality characteristics.
Article 3 – paragraph 1 – point 44l (new)(44l) ‘social behaviour’ means the way a natural person interacts with and influences other natural persons or society;Social behaviour’ is defined as the manner in which a natural person interacts with and influences other natural persons or society.
Article 3 – paragraph 1 – point 44 m (new)(44m) ‘state of the art’ means the developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience;State of the art’ refers to the current and advanced stage of technical capability at any given time in relation to products, processes, and services. This is based on the relevant consolidated findings of science, technology, and experience.
Article 4
NumberingCommissionParliamentCouncilText proposed by the AI
Article 4
Article 4
Amendments to Annex I

The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend the list of techniques and approaches listed in Annex I, in order to update that list to market and technological developments on the basis of characteristics that are similar to the techniques and approaches listed therein.		deletedArticle 4
Implementing acts

In order to ensure uniform conditions for the implementation of this Regulation as regards machine learning approaches and logic- and knowledged based approaches referred to in Article 3(1), the Commission may adopt implementing acts to specify the technical elements of those approaches, taking into account market and technological developments. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).		Article 4
Amendments and Implementing Acts

The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend the list of techniques and approaches listed in Annex I, in order to update that list to market and technological developments on the basis of characteristics that are similar to the techniques and approaches listed therein.

Furthermore, to ensure uniform conditions for the implementation of this Regulation as regards machine learning approaches and logic- and knowledge-based approaches referred to in Article 3(1), the Commission may adopt implementing acts to specify the technical elements of those approaches, taking into account market and technological developments. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).
Article 4a (new) [P]Article 4 a
General principles applicable to all AI systems

1. All operators falling under this Regulation shall make their best efforts to develop and use AI systems or foundation models in accordance with the following general principles establishing a high-level framework that promotes a coherent human-centric European approach to ethical and trustworthy Artificial Intelligence, which is fully in line with the Charter as well as the values on which the Union is founded:
a) ‘human agency and oversight’ means that AI systems shall be developed and used as a tool that serves people, respects human dignity and personal autonomy, and that is functioning in a way that can be appropriately controlled and overseen by humans;
b) ‘technical robustness and safety’ means that AI systems shall be developed and used in a way to minimize unintended and unexpected harm as well as being robust in case of unintended problems and being resilient against attempts to alter the use or performance of the AI system so as to allow unlawful use by malicious third parties;
c) ‘privacy and data governance’ means that AI systems shall be developed and used in compliance with existing privacy and data protection rules, while processing data that meets high standards in terms of quality and integrity;
d) ‘transparency’ means that AI systems shall be developed and used in a way that allows appropriate traceability and explainability, while making humans aware that they communicate or interact with an AI system as well as duly informing users of the capabilities and limitations of that AI system and affected persons about their rights;.
e) ‘diversity, non-discrimination and fairness’ means that AI systems shall be developed and used in a way that includes diverse actors and promotes equal access, gender equality and cultural diversity, while avoiding discriminatory impacts and unfair biases that are prohibited by Union or national law;
f) ‘social and environmental well-being’ means that AI systems shall be developed and used in a sustainable and environmentally friendly manner as well as in a way to benefit all human beings, while monitoring and assessing the long-term impacts on the individual, society and democracy.

2. Paragraph 1 is without prejudice to obligations set up by existing Union and national law. For high-risk AI systems, the general principles are translated into and complied with by providers or deployers by means of the requirements set out in Articles 8 to 15, and the relevant obligations laid down in Chapter 3 of Title III of this Regulation. For foundation models, the general principles are translated into and complied with by providers by means of the requirements set out in Articles 28 to 28b. For all AI systems, the application of the principles referred to in paragraph 1 can be achieved, as applicable, through the provisions of Article 28, Article 52, or the application of harmonised standards, technical specifications, and codes of conduct as referred to in Article 69,without creating new obligations under this Regulation.

3. The Commission and the AI Office shall incorporate these guiding principles in standardisation requests as well as recommendations consisting in technical guidance to assist providers and deployers on how to develop and use AI systems. European Standardisation Organisations shall take the general principles referred to in paragraph 1of this Article into account as outcome-based objectives when developing the appropriate harmonised standards for high risk AI systems as referred to in Article 40(2b). 		Article 4 a
General principles applicable to all AI systems

1. All operators subject to this Regulation shall strive to develop and use AI systems or foundation models in accordance with the following general principles, which establish a high-level framework that encourages a consistent, human-centric European approach to ethical and trustworthy Artificial Intelligence, in full alignment with the Charter and the values upon which the Union is founded:
a) ‘human agency and oversight’ implies that AI systems should be developed and used as tools that serve people, respect human dignity and personal autonomy, and function in a manner that can be appropriately controlled and overseen by humans;
b) ‘technical robustness and safety’ implies that AI systems should be developed and used in a way that minimizes unintended and unexpected harm, ensures robustness in the face of unintended problems, and is resilient against attempts to alter the use or performance of the AI system for unlawful use by malicious third parties;
c) ‘privacy and data governance’ implies that AI systems should be developed and used in compliance with existing privacy and data protection rules, while processing data that meets high standards of quality and integrity;
d) ‘transparency’ implies that AI systems should be developed and used in a way that allows for appropriate traceability and explainability, while making humans aware that they are communicating or interacting with an AI system, and duly informing users of the capabilities and limitations of that AI system and affected persons about their rights;
e) ‘diversity, non-discrimination and fairness’ implies that AI systems should be developed and used in a way that includes diverse actors and promotes equal access, gender equality and cultural diversity, while avoiding discriminatory impacts and unfair biases that are prohibited by Union or national law;
f) ‘social and environmental well-being’ implies that AI systems should be developed and used in a sustainable and environmentally friendly manner, and in a way that benefits all human beings, while monitoring and assessing the long-term impacts on the individual, society and democracy.

2. Paragraph 1 does not prejudice obligations established by existing Union and national law. For high-risk AI systems, the general principles are translated into and complied with by providers or deployers through the requirements set out in Articles 8 to 15, and the relevant obligations laid down in Chapter 3 of Title III of this Regulation. For foundation models, the general principles are translated into and complied with by providers through the requirements set out in Articles 28 to 28b. For all AI systems, the application of the principles referred to in paragraph 1 can be achieved, as applicable, through the provisions of Article 28, Article 52, or the application of harmonised standards, technical specifications, and codes of conduct as referred to in Article 69, without creating new obligations under this Regulation.

3. The Commission and the AI Office shall incorporate these guiding principles in standardisation requests as well as recommendations consisting in technical guidance to assist providers and deployers on how to develop and use AI systems. European Standardisation Organisations shall take the general principles referred to in paragraph 1 of this Article into account as outcome-based objectives when developing the appropriate harmonised standards for high risk AI systems as referred to in Article 40(2b).
Article 4b (new) [P]Article 4 b
AI literacy

1. When implementing this Regulation, the Union and the Member States shall promote measures for the development of a sufficient level of AI literacy, across sectors and taking into account the different needs of groups of providers, deployers and affected persons concerned, including through education and training, skilling and reskilling programmes and while ensuring proper gender and age balance, in view of allowing a democratic control of AI systems

2. Providers and deployers of AI systems shall take measures to ensure a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on which the AI systems are to be used.

3. Such literacy measures shall consist, in particular, of the teaching of basic notions and skills about AI systems and their functioning, including the different types of products and uses, their risks and benefits.

4. A sufficient level of AI literacy is one that contributes, as necessary, to the ability of providers and deployers to ensure compliance and enforcement of this Regulation.		Article 4 b
AI literacy

1. In the implementation of this Regulation, the Union and the Member States shall advocate for the development of an adequate level of AI literacy. This should be across sectors and should consider the varying needs of groups of providers, deployers, and affected persons. This can be achieved through education and training, skilling and reskilling programmes, ensuring a balanced representation of gender and age. The aim is to allow democratic control of AI systems.

2. Providers and deployers of AI systems are required to take measures to ensure their staff and other persons involved in the operation and use of AI systems on their behalf have a sufficient level of AI literacy. This should take into account their technical knowledge, experience, education, training, and the context in which the AI systems are to be used. Consideration should also be given to the persons or groups of persons on which the AI systems are to be used.

3. The literacy measures should primarily consist of teaching basic notions and skills about AI systems and their functioning. This includes understanding the different types of products and uses, their risks, and benefits.

4. A sufficient level of AI literacy is defined as one that contributes, as necessary, to the ability of providers and deployers to ensure compliance and enforcement of this Regulation.
TITLE Ia (new)TITLE Ia
GENERAL PURPOSE AI SYSTEMS		None
Article 4a (new) [C]Article 4a
Compliance of general purpose AI systems with this Regulation

1. Without prejudice to Articles 5, 52, 53 and 69 of this Regulation, general purpose AI systems shall only comply with the requirements and obligations set out in Article 4b.

2. Such requirements and obligations shall apply irrespective of whether the general purpose AI system is placed on the market or put into service as a pre-trained model and whether further fine-tuning of the model is to be performed by the user of the general purpose AI system.		Article 4a
Compliance of general purpose AI systems with this Regulation

1. Without prejudice to Articles 5, 52, 53 and 69 of this Regulation, general purpose AI systems shall only comply with the requirements and obligations set out in Article 4b.

2. Such requirements and obligations shall apply irrespective of whether the general purpose AI system is placed on the market or put into service as a pre-trained model and whether further fine-tuning of the model is to be performed by the user of the general purpose AI system.
Article 4b (new) [C]Article 4b
Requirements for general purpose AI systems and obligations for providers of such systems

1. General purpose AI systems which may be used as high risk AI systems or as components of high risk AI systems in the meaning of Article 6, shall comply with the requirements established in Title III, Chapter 2 of this Regulation as from the date of application of the implementing acts adopted by the Commission in accordance with the examination procedure referred to in Article 74(2) no later than 18 months after the entry into force of this Regulation. Those implementing acts shall specify and adapt the application of the requirements established in Title III, Chapter 2 to general purpose AI systems in the light of their characteristics, technical feasibility, specificities of the AI value chain and of market and technological developments. When fulfilling those requirements, the generally acknowledged state of the art shall be taken into account.

2. Providers of general purpose AI systems referred to in paragraph 1 shall comply, as from the date of application of the implementing acts referred to in paragraph 1, with the obligations set out in Articles 16aa, 16e, 16f, 16g, 16i, 16j, 25, 48 and 61.

3. For the purpose of complying with the obligations set out in Article 16e, providers shall follow the conformity assessment procedure based on internal control set out in Annex VI, points 3 and 4.

4. Providers of such systems shall also keep the technical documentation referred to in Article 11 at the disposal of the national competent authorities for a period ending ten years after the general purpose AI system is placed on the Union market or put into service in the Union.

5. Providers of general purpose AI systems shall cooperate with and provide the necessary information to other providers intending to put into service or place such systems on the Union market as high-risk AI systems or as components of high-risk AI systems, with a view to enabling the latter to comply with their obligations under this Regulation. Such cooperation between providers shall preserve, as appropriate, intellectual property rights, and confidential business information or trade secrets in accordance with Article 70. In order to ensure uniform conditions for the implementation of this Regulation as regards the information to be shared by the providers of general purpose AI systems, the Commission may adopt implementing acts in accordance with the examination procedure referred to in Article 74(2).

6. In complying with the requirements and obligations referred to in paragraphs 1, 2 and 3:
– any reference to the intended purpose shall be understood as referring to possible use of the general purpose AI systems as high risk AI systems or as components of AI high risk systems in the meaning of Article 6;
– any reference to the requirements for high-risk AI systems in Chapter II, Title III shall be understood as referring only to the requirements set out in the present Article.		Article 4b
Requirements and Obligations for Providers of General Purpose AI Systems

1. General purpose AI systems, which may be utilized as high-risk AI systems or as components of high-risk AI systems as defined in Article 6, must adhere to the requirements outlined in Title III, Chapter 2 of this Regulation. This compliance must be effective from the date of application of the implementing acts adopted by the Commission in accordance with the examination procedure referred to in Article 74(2), no later than 18 months after the enforcement of this Regulation. These implementing acts will specify and adapt the application of the requirements established in Title III, Chapter 2 to general purpose AI systems, considering their characteristics, technical feasibility, specificities of the AI value chain, and market and technological developments. The generally acknowledged state of the art should be considered when fulfilling these requirements.

2. Providers of general purpose AI systems, as mentioned in paragraph 1, must comply with the obligations outlined in Articles 16aa, 16e, 16f, 16g, 16i, 16j, 25, 48, and 61, effective from the date of application of the implementing acts referred to in paragraph 1.

3. To comply with the obligations set out in Article 16e, providers must follow the conformity assessment procedure based on internal control outlined in Annex VI, points 3 and 4.

4. Providers must also keep the technical documentation referred to in Article 11 available for the national competent authorities for a period ending ten years after the general purpose AI system is placed on the Union market or put into service in the Union.

5. Providers of general purpose AI systems must cooperate with and provide necessary information to other providers intending to put such systems into service or place them on the Union market as high-risk AI systems or as components of high-risk AI systems. This is to enable the latter to comply with their obligations under this Regulation. This cooperation between providers must preserve intellectual property rights, confidential business information, or trade secrets in accordance with Article 70. To ensure uniform conditions for the implementation of this Regulation regarding the information to be shared by the providers of general purpose AI systems, the Commission may adopt implementing acts in accordance with the examination procedure referred to in Article 74(2).

6. In complying with the requirements and obligations referred to in paragraphs 1, 2, and 3:
– any reference to the intended purpose should be understood as referring to the possible use of the general purpose AI systems as high-risk AI systems or as components of high-risk AI systems as defined in Article 6;
– any reference to the requirements for high-risk AI systems in Chapter II, Title III should be understood as referring only to the requirements outlined in this Article.
Article 4c (new)Article 4c
Exceptions to Article 4b

1. Article 4b shall not apply when the provider has explicitly excluded all high-risk uses in the instructions of use or information accompanying the general purpose AI system.

2. Such exclusion shall be made in good faith and shall not be deemed justified if the provider has sufficient reasons to consider that the system may be misused.

3. When the provider detects or is informed about market misuse they shall take all necessary and proportionate measures to prevent such further misuse, in particular taking into account the scale of the misuse and the seriousness of the associated risks.		Article 4c
Exceptions to Article 4b

1. Article 4b shall not apply when the provider has explicitly excluded all high-risk uses in the instructions of use or information accompanying the general purpose AI system.

2. Such exclusion shall be made in good faith and shall not be deemed justified if the provider has sufficient reasons to consider that the system may be misused.

3. When the provider detects or is informed about market misuse they shall take all necessary and proportionate measures to prevent such further misuse, in particular taking into account the scale of the misuse and the seriousness of the associated risks.

TITLE II: Prohibited Artificial Intelligence Practices

Article 5
NumberingCommissionParliamentCouncilText proposed by the AI
Article 5 – paragraph 1 – introductory part1.The following artificial intelligence practices shall be prohibited:1.The following artificial intelligence practices shall be prohibited:1.The following artificial intelligence practices shall be prohibited:None
Article 5 – paragraph 1 – point a(a) the placing on the market, putting into service or use of an AI system that deploys subliminal techniques beyond a person’s consciousness in order to materially distort a person’s behaviour in a manner that causes or is likely to cause that person or another person physical or psychological harm;

(a) the placing on the market, putting into service or use of an AI system that deploys subliminal techniques beyond a person’s consciousness or purposefully manipulative or deceptive techniques, with the objective to or the effect of materially distorting a person’s or a group of persons’ behaviour by appreciably impairing the person’s ability to make an informed decision, thereby causing the person to take a decision that that person would not have otherwise taken in a manner that causes or is likely to cause that person, another person or group of persons significant harm;

The prohibition of AI system that deploys subliminal techniques referred to in the first sub-paragraph shall not apply to AI systems intended to be used for approved therapeutical purposes on the basis of specific informed consent of the individuals that are exposed to them or, where applicable, of their legal guardian;

(a) the placing on the market, putting into service or use of an AI system that deploys subliminal techniques beyond a person’s consciousness with the objective to or the effect of materially distorting a person’s behaviour in a manner that causes or is reasonably likely to cause that person or another person physical or psychological harm;(a) The placing on the market, putting into service or use of an AI system that deploys subliminal techniques beyond a person’s consciousness or employs purposefully manipulative or deceptive techniques, with the objective to or the effect of materially distorting a person’s or a group of persons’ behaviour by appreciably impairing the person’s ability to make an informed decision, thereby causing the person to take a decision that that person would not have otherwise taken in a manner that causes or is reasonably likely to cause that person, another person or group of persons significant physical or psychological harm;

The prohibition of AI system that deploys subliminal techniques referred to in the first sub-paragraph shall not apply to AI systems intended to be used for approved therapeutical purposes on the basis of specific informed consent of the individuals that are exposed to them or, where applicable, of their legal guardian;
Article 5 – paragraph 1 – point b(b) the placing on the market, putting into service or use of an AI system that exploits any of the vulnerabilities of a specific group of persons due to their age, physical or mental disability, in order to materially distort the behaviour of a person pertaining to that group in a manner that causes or is likely to cause that person or another person physical or psychological harm;

(b) the placing on the market, putting into service or use of an AI system that exploits any of the vulnerabilities of a person or a specific group of persons, including characteristics of such person’s or a such group’s known or predicted personality traits or social or economic situation age, physical or mental ability with the objective or to the effect of materially distorting the behaviour of that person or a person pertaining to that group in a manner that causes or is likely to cause that person or another person significant harm;;

(b) the placing on the market, putting into service or use of an AI system that exploits any of the vulnerabilities of a specific group of persons due to their age, disability or a specific social or economic situation, with the objective to or the effect of materially distorting the behaviour of a person pertaining to that group in a manner that causes or is reasonably likely to cause that person or another person physical or psychological harm;
(b) the placing on the market, putting into service or use of an AI system that exploits any of the vulnerabilities of a person or a specific group of persons, including characteristics of such person’s or a such group’s known or predicted personality traits, age, physical or mental disability, or specific social or economic situation, with the objective or to the effect of materially distorting the behaviour of that person or a person pertaining to that group in a manner that causes or is likely to cause that person or another person physical or psychological harm;
Article 5 – paragraph 1 – point ba (new)(ba) the placing on the market, putting into service or use of biometric categorisation systems that categorise natural persons according to sensitive or protected attributes or characteristics or based on the inference of those attributes or characteristics. This prohibition shall not apply to AI systems intended to be used for approved therapeutical purposes on the basis of specific informed consent of the individuals that are exposed to them or, where applicable, of their legal guardian.

The marketing, deployment, or utilization of biometric categorization systems that classify individuals based on sensitive or protected attributes or characteristics, or the inference of such attributes or characteristics, is prohibited. This prohibition does not extend to AI systems designed for approved therapeutic purposes, provided that specific informed consent is obtained from the individuals exposed to these systems, or, where applicable, their legal guardian.
Article 5 – paragraph 1 – point c(c) the placing on the market, putting into service or use of AI systems by public authorities or on their behalf for the evaluation or classification of the trustworthiness of natural persons over a certain period of time based on their social behaviour or known or predicted personal or personality characteristics, with the social score leading to either or both of the following:

(i) detrimental or unfavourable treatment of certain natural persons or whole groups thereof in social contexts which are unrelated to the contexts in which the data was originally generated or collected;

(ii) detrimental or unfavourable treatment of certain natural persons or whole groups thereof that is unjustified or disproportionate to their social behaviour or its gravity;
(c) the placing on the market, putting into service or use of AI systems for the social scoring evaluation or classification of natural persons or groups thereof over a certain period of time based on their social behaviour or known, inferred or predicted personal or personality characteristics, with the social score leading to either or both of the following:

(i) detrimental or unfavourable treatment of certain natural persons or whole groups thereof in social contexts that are unrelated to the contexts in which the data was originally generated or collected;

(ii) detrimental or unfavourable treatment of certain natural persons or whole groups thereof that is unjustified or disproportionate to their social behaviour or its gravity;		(c) the placing on the market, putting into service or use of AI systems for the evaluation or classification of natural persons over a certain period of time based on their social behaviour or known or predicted personal or personality characteristics, with the social score leading to either or both of the following:

(i) detrimental or unfavourable treatment of certain natural persons or groups thereof in social contexts which are unrelated to the contexts in which the data was originally generated or collected;

(ii) detrimental or unfavourable treatment of certain natural persons or groups thereof that is unjustified or disproportionate to their social behaviour or its gravity;		(c) the placing on the market, putting into service or use of AI systems by public authorities or on their behalf for the evaluation or classification of the trustworthiness of natural persons or groups thereof over a certain period of time based on their social behaviour or known, inferred or predicted personal or personality characteristics, with the social score leading to either or both of the following:

(i) detrimental or unfavourable treatment of certain natural persons or whole groups thereof in social contexts which are unrelated to the contexts in which the data was originally generated or collected;

(ii) detrimental or unfavourable treatment of certain natural persons or whole groups thereof that is unjustified or disproportionate to their social behaviour or its gravity;
Article 5 – paragraph 1 – point d (d) the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement, unless and in as far as such use is strictly necessary for one of the following objectives:

(i) the targeted search for specific potential victims of crime, including missing children;

(ii) the prevention of a specific, substantial and imminent threat to the life or physical safety of natural persons or of a terrorist attack;

(iii) the detection, localisation, identification or prosecution of a perpetrator or suspect of a criminal offence referred to in Article 2(2) of Council Framework Decision 2002/584/JHA62 and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least three years, as determined by the law of that Member State.

––––
62. Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1).

(d) the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces;

(i) deleted
(ii) deleted
(iii) deleted		(d) the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces by law enforcement authorities or on their behalf for the purpose of law enforcement, unless and in as far as such use is strictly necessary for one of the following objectives:

(i) the targeted search for specific potential victims of crime;

(ii) the prevention of a specific and substantial threat to the critical infrastructure, life, health or physical safety of natural persons or the prevention of terrorist attacks;

(iii) the localisation or identification of a natural person for the purposes of conducting a criminal investigation, prosecution or executing a criminal penalty for offences, referred to in Article 2(2) of Council Framework Decision 2002/584/JHA32 and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least three years, or other specific offences punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least five years, as determined by the law of that Member State.

––––
32. Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1).		(d) the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces by law enforcement authorities or on their behalf for the purpose of law enforcement, unless and in as far as such use is strictly necessary for one of the following objectives:

(i) the targeted search for specific potential victims of crime, including missing children;

(ii) the prevention of a specific, substantial and imminent threat to the life, health or physical safety of natural persons, the critical infrastructure, or of a terrorist attack;

(iii) the detection, localisation, identification or prosecution of a perpetrator or suspect of a criminal offence referred to in Article 2(2) of Council Framework Decision 2002/584/JHA and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least three years, or other specific offences punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least five years, as determined by the law of that Member State.

––––
Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1).
Article 5 – paragraph 1 – point da (new)(da) the placing on the market, putting into service or use of an AI system for making risk assessments of natural persons or groups thereof in order to assess the risk of a natural person for offending or reoffending or for predicting the occurrence or reoccurrence of an actual or potential criminal or administrative offence based on profiling of a natural person or on assessing personality traits and characteristics, including the person’s location, or past criminal behaviour of natural persons or groups of natural persons;

The use of an AI system for making risk assessments of natural persons or groups thereof in order to assess the risk of a natural person for offending or reoffending or for predicting the occurrence or reoccurrence of an actual or potential criminal or administrative offence based on profiling of a natural person or on assessing personality traits and characteristics, including the person’s location, or past criminal behaviour of natural persons or groups of natural persons, should be regulated when it comes to placing on the market, putting into service or use.
Article 5 – paragraph 1 – point db (new)(db) The placing on the market, putting into service or use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage;

The implementation, utilization, or marketing of AI systems that generate or enlarge facial recognition databases through the indiscriminate extraction of facial images from the internet or CCTV footage.
Article 5 – paragraph 1 – point dc (new)(dc) the placing on the market, putting into service or use of AI systems to infer emotions of a natural person in the areas of law enforcement, border management, in workplace and education institutions. The implementation, marketing, and utilization of AI systems for the purpose of inferring the emotions of a natural person in the sectors of law enforcement, border management, workplaces, and educational institutions.
Article 5 – paragraph 1 – point dd (new)(dd) the putting into service or use of AI systems for the analysis of recorded footage of publicly accessible spaces through ‘post’ remote biometric identification systems, unless they are subject to a pre-judicial authorisation in accordance with Union law and strictly necessary for the targeted search connected to a specific serious criminal offense as defined in Article 83(1) of TFEU that already took place for the purpose of law enforcement.

The use of AI systems for the analysis of recorded footage of publicly accessible spaces through ‘post’ remote biometric identification systems is permitted, provided they are subject to a pre-judicial authorisation in accordance with Union law. This is strictly necessary for the targeted search connected to a specific serious criminal offense as defined in Article 83(1) of TFEU that has already occurred for the purpose of law enforcement.
Article 5 – paragraph 1a (new)1a. This Article shall not affect the prohibitions that apply where an artificial intelligence practice infringes another Union law, including Union law on data protection, non discrimination, consumer protection or competition;

This Article shall not affect the prohibitions that apply where an artificial intelligence practice infringes another Union law, including Union law on data protection, non discrimination, consumer protection or competition.
Article 5 – paragraph 22. The use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement for any of the objectives referred to in paragraph 1 point d) shall take into account the following elements:

(a) the nature of the situation giving rise to the possible use, in particular the seriousness, probability and scale of the harm caused in the absence of the use of the system;

(b) the consequences of the use of the system for the rights and freedoms of all persons concerned, in particular the seriousness, probability and scale of those consequences.

In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement for any of the objectives referred to in paragraph 1 point d) shall comply with necessary and proportionate safeguards and conditions in relation to the use, in particular as regards the temporal, geographic and personal limitations.

deleted

2. The use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement for any of the objectives referred to in paragraph 1 point d) shall take into account the following elements:

(a) the nature of the situation giving rise to the possible use, in particular the seriousness, probability and scale of the harm caused in the absence of the use of the system;

(b) the consequences of the use of the system for the rights and freedoms of all persons concerned, in particular the seriousness, probability and scale of those consequences.

In addition, the use of ‘real-time’ remote biometric identification systems in publicly
accessible spaces for the purpose of law enforcement for any of the objectives referred to in paragraph 1 point d) shall comply with necessary and proportionate safeguards and conditions in relation to the use, in particular as regards the temporal, geographic and personal limitations.		2. The use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement for any of the objectives referred to in paragraph 1 point d) shall take into account the following elements:

(a) the nature of the situation giving rise to the possible use, in particular the seriousness, probability and scale of the harm caused in the absence of the use of the system;

(b) the consequences of the use of the system for the rights and freedoms of all persons concerned, in particular the seriousness, probability and scale of those consequences.

In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement for any of the objectives referred to in paragraph 1 point d) shall comply with necessary and proportionate safeguards and conditions in relation to the use, in particular as regards the temporal, geographic and personal limitations.
Article 5 – paragraph 33. As regards paragraphs 1, point (d) and 2, each individual use for the purpose of law enforcement of a ‘real-time’ remote biometric identification system in publicly accessible spaces shall be subject to a prior authorisation granted by a judicial authority or by an independent administrative authority of the Member State in which the use is to take place, issued upon a reasoned request and in accordance with the detailed rules of national law referred to in paragraph 4. However, in a duly justified situation of urgency, the use of the system may be commenced without an authorisation and the authorisation may be requested only during or after the use.

The competent judicial or administrative authority shall only grant the authorisation where it is satisfied, based on objective evidence or clear indications presented to it, that the use of the ‘real-time’ remote biometric identification system at issue is necessary for and proportionate to achieving one of the objectives specified in paragraph 1, point (d), as identified in the request. In deciding on the request, the competent judicial or administrative authority shall take into account the elements referred to in paragraph 2.

deleted3. As regards paragraphs 1, point (d) and 2, each use for the purpose of law enforcement of a ‘real-time’ remote biometric identification system in publicly accessible spaces shall be subject to a prior authorisation granted by a judicial authority or by an independent administrative authority of the Member State in which the use is to take place, issued upon a reasoned request and in accordance with the detailed rules of national law referred to in paragraph 4. However, in a duly justified situation of urgency, the use of the system may be commenced without an authorisation provided that, such authorisation shall be requested without undue delay during use of the AI system, and if such authorisation is rejected, its use shall be stopped with immediate effect.

The competent judicial or administrative authority shall only grant the authorisation where it is satisfied, based on objective evidence or clear indications presented to it, that the use of the ‘real-time’ remote biometric identification system at issue is necessary for and proportionate to achieving one of the objectives specified in paragraph 1, point (d), as identified in the request. In deciding on the request, the competent judicial or administrative authority shall take into account the elements referred to in paragraph 2.		3. As regards paragraphs 1, point (d) and 2, each individual use for the purpose of law enforcement of a ‘real-time’ remote biometric identification system in publicly accessible spaces shall be subject to a prior authorisation granted by a judicial authority or by an independent administrative authority of the Member State in which the use is to take place, issued upon a reasoned request and in accordance with the detailed rules of national law referred to in paragraph 4. However, in a duly justified situation of urgency, the use of the system may be commenced without an authorisation and the authorisation may be requested only during or after the use, provided that such authorisation shall be requested without undue delay during use of the AI system, and if such authorisation is rejected, its use shall be stopped with immediate effect.

The competent judicial or administrative authority shall only grant the authorisation where it is satisfied, based on objective evidence or clear indications presented to it, that the use of the ‘real-time’ remote biometric identification system at issue is necessary for and proportionate to achieving one of the objectives specified in paragraph 1, point (d), as identified in the request. In deciding on the request, the competent judicial or administrative authority shall take into account the elements referred to in paragraph 2.
Article 5 – paragraph 44. A Member State may decide to provide for the possibility to fully or partially authorise the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement within the limits and under the conditions listed in paragraphs 1, point (d), 2 and 3. That Member State shall lay down in its national law the necessary detailed rules for the request, issuance and exercise of, as well as supervision relating to, the authorisations referred to in paragraph 3. Those rules shall also specify in respect of which of the objectives listed in paragraph 1, point (d), including which of the criminal offences referred to in point (iii) thereof, the competent authorities may be authorised to use those systems for the purpose of law enforcement.deleted4. A Member State may decide to provide for the possibility to fully or partially authorise the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement within the limits and under the conditions listed in paragraphs 1, point (d), 2 and 3. That Member State shall lay down in its national law the necessary detailed rules for the request, issuance and exercise of, as well as supervision and reporting relating to, the authorisations referred to in paragraph 3. Those rules shall also specify in respect of which of the objectives listed in paragraph 1, point (d), including which of the criminal offences referred to in point (iii) thereof, the competent authorities may be authorised to use those systems for the purpose of law enforcement.4. A Member State may decide to provide for the possibility to fully or partially authorise the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement within the limits and under the conditions listed in paragraphs 1, point (d), 2 and 3. That Member State shall lay down in its national law the necessary detailed rules for the request, issuance and exercise of, as well as supervision and reporting relating to, the authorisations referred to in paragraph 3. Those rules shall also specify in respect of which of the objectives listed in paragraph 1, point (d), including which of the criminal offences referred to in point (iii) thereof, the competent authorities may be authorised to use those systems for the purpose of law enforcement.

TITLE III: High-Risk AI Systems

CHAPTER 1: Classification of AI Systems as High-Risk

Article 6
NumberingCommissionParliamentCouncilText proposed by the AI
Article 6Article 6
Classification rules for high-risk AI systems		Article 6
Classification rules for high-risk AI systems		Article 6
Classification rules for high-risk AI systems		Article 6
Classification rules for high-risk AI systems
Article 6 – paragraph 11. Irrespective of whether an AI system is placed on the market or put into service independently from the products referred to in points (a) and (b), that AI system shall be considered high-risk where both of the following conditions are fulfilled:

(a) the AI system is intended to be used as a safety component of a product, or is itself a product, covered by the Union harmonisation legislation listed in Annex II;

(b) the product whose safety component is the AI system, or the AI system itself as a product, is required to undergo a third-party conformity assessment with a view to the placing on the market or putting into service of that product pursuant to the Union harmonisation legislation listed in Annex II.		1. Irrespective of whether an AI system is placed on the market or put into service independently from the products referred to in points (a) and (b), that AI system shall be considered high-risk where both of the following conditions are fulfilled:

(a) the AI system is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the Union harmonisation law listed in Annex II;

(b) the product whose safety component pursuant to point (a) is the AI system, or the AI system itself as a product, is required to undergo a third-party conformity assessment related to risks for health and safety, with a view to the placing on the market or putting into service of that product pursuant to the Union harmonisation law listed in Annex II;		1. An AI system that is itself a product covered by the Union harmonisation legislation listed in Annex II shall be considered as high risk if it is required to undergo a third-party conformity assessment with a view to the placing on the market or putting into service of that product pursuant to the above mentioned legislation.1. Regardless of whether an AI system is placed on the market or put into service independently from the products referred to in points (a) and (b), that AI system shall be considered high-risk where both of the following conditions are fulfilled:

(a) the AI system is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the Union harmonisation legislation listed in Annex II;

(b) the product whose safety component is the AI system, or the AI system itself as a product, is required to undergo a third-party conformity assessment related to risks for health and safety, with a view to the placing on the market or putting into service of that product pursuant to the Union harmonisation legislation listed in Annex II.
Article 6 – paragraph 22. In addition to the high-risk AI systems referred to in paragraph 1, AI systems referred to in Annex III shall also be considered high-risk.

2. In addition to the high-risk AI systems referred to in paragraph 1, AI systems falling under one or more of the critical areas and use cases referred to in Annex III shall be considered high-risk if they pose a significant risk of harm to the health, safety or fundamental rights of natural persons. Where an AI system falls under Annex III point 2, it shall be considered to be high-risk if it poses a significant risk of harm to the environment.

The Commission shall, six months prior to the entry into force of this Regulation, after consulting the AI Office and relevant stakeholders, provide guidelines clearly specifying the circumstances where the output of AI systems referred to in Annex III would pose a significant risk of harm to the health, safety or fundamental rights of natural persons or cases in which it would not.

2. An AI system intended to be used as a safety component of a product covered by the legislation referred to in paragraph 1 shall be considered as high risk if it is required to undergo a third-party conformity assessment with a view to the placing on the market or putting into service of that product pursuant to above mentioned legislation. This provision shall apply irrespective of whether the AI system is placed on the market or put into service independently from the product.2. In addition to the high-risk AI systems referred to in paragraph 1, AI systems falling under one or more of the critical areas and use cases referred to in Annex III shall be considered high-risk if they pose a significant risk of harm to the health, safety or fundamental rights of natural persons, or if they are intended to be used as a safety component of a product covered by the legislation referred to in paragraph 1 and are required to undergo a third-party conformity assessment. Where an AI system falls under Annex III point 2, it shall be considered to be high-risk if it poses a significant risk of harm to the environment.

The Commission shall, six months prior to the entry into force of this Regulation, after consulting the AI Office and relevant stakeholders, provide guidelines clearly specifying the circumstances where the output of AI systems referred to in Annex III would pose a significant risk of harm to the health, safety or fundamental rights of natural persons or cases in which it would not. This provision shall apply irrespective of whether the AI system is placed on the market or put into service independently from the product.
Article 6 – paragraph 3 (new) [C]3. AI systems referred to in Annex III shall be considered high-risk unless the output of the system is purely accessory in respect of the relevant action or decision to be taken and is not therefore likely to lead to a significant risk to the health, safety or fundamental rights.

In order to ensure uniform conditions for the implementation of this Regulation, the Commission shall, no later than one year after the entry into force of this Regulation, adopt implementing acts to specify the circumstances where the output of AI systems referred to in Annex III would be purely accessory in respect of the relevant action or decision to be taken. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74, paragraph 2.		AI systems mentioned in Annex III will be classified as high-risk unless the system’s output is merely supplementary to the relevant action or decision to be taken and does not pose a significant risk to health, safety, or fundamental rights. To ensure uniform conditions for the implementation of this Regulation, the Commission will adopt implementing acts within one year after this Regulation comes into force. These acts will detail the circumstances under which the output of AI systems mentioned in Annex III would be considered purely supplementary to the relevant action or decision. The adoption of these implementing acts will follow the examination procedure outlined in Article 74, paragraph 2.
Article 6 – paragraph 2a (new) [P]2a. Where providers falling under one or more of the critical areas and use cases referred to in Annex III consider that their AI system does not pose a significant risk as described in paragraph 2, they shall submit a reasoned notification to the national supervisory authority that they are not subject to the requirements of Title III Chapter 2 of this Regulation. Where the AI system is intended to be used in two or more Member States, that notification shall be addressed to the AI Office. Without prejudice to Article 65, the national supervisory authority shall review and reply to the notification, directly or via the AI Office, within three months if they deem the AI system to be misclassified.

Providers operating in one or more of the critical areas and use cases referred to in Annex III, who believe that their AI system does not pose a significant risk as described in paragraph 2, are required to submit a reasoned notification to the national supervisory authority stating that they are not subject to the requirements of Title III Chapter 2 of this Regulation. In cases where the AI system is intended for use in two or more Member States, the notification should be addressed to the AI Office. The national supervisory authority, without prejudice to Article 65, is responsible for reviewing and responding to the notification, either directly or through the AI Office, within a three-month period if they consider the AI system to be misclassified.
Article 6 – paragraph 2b (new)2b. Providers that misclassify their AI system as not subject to the requirements of Title III Chapter 2 of this Regulation and place it on the market before the deadline for objection by national supervisory authorities shall be subject to fines pursuant to Article 71.

Providers that incorrectly categorize their AI system as not being subject to the requirements of Title III Chapter 2 of this Regulation and subsequently place it on the market before the deadline for objection by national supervisory authorities shall be liable to penalties as outlined in Article 71.
Article 6 – paragraph 2c (new)2 c. National supervisory authorities shall submit a yearly report to the AI Office detailing the number of notifications received, the related high-risk areas at stake and the decisions taken concerning received notifications

National supervisory authorities are required to annually submit a report to the AI Office. This report should detail the number of notifications received, identify the high-risk areas involved, and outline the decisions made in response to these notifications.
Article 7
NumberingCommissionParliamentCouncilText proposed by the AI
Article 7Article 7
Amendments to Annex III		Article 7
Amendments to Annex III		Article 7
Amendments to Annex III		Article 7
Amendments to Annex III
Article 7 – paragraph 1 – introductory part1. The Commission is empowered to adopt delegated acts in accordance with Article 73 to update the list in Annex III by adding high-risk AI systems where both of the following conditions are fulfilled:1. The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend Annex III by adding or modifying areas or use-cases of high-risk AI systems where these pose a significant risk of harm to health and safety, or an adverse impact on fundamental rights, to the environment, or to democracy and the rule of law, and that risk is, in respect of its severity and probability of occurrence, equivalent to or greater than the risk of harm or of adverse impact posed by the high-risk AI systems already referred to in Annex III. 1. The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend the list in Annex III by adding high-risk AI systems where both of the following conditions are fulfilled:1. The Commission is empowered to adopt delegated acts in accordance with Article 73 to update and amend the list in Annex III by adding or modifying areas or use-cases of high-risk AI systems where both of the following conditions are fulfilled: these pose a significant risk of harm to health and safety, or an adverse impact on fundamental rights, to the environment, or to democracy and the rule of law, and that risk is, in respect of its severity and probability of occurrence, equivalent to or greater than the risk of harm or of adverse impact posed by the high-risk AI systems already referred to in Annex III.
Article 7 – paragraph 1 – point a(a) the AI systems are intended to be used in any of the areas listed in points 1 to 8 of Annex III;

deleted(a) the AI systems are intended to be used in any of the areas listed in points 1 to 8 of Annex III;(a) the AI systems are intended to be used in any of the areas listed in points 1 to 8 of Annex III;
Article 7 – paragraph 1 – point b(b) the AI systems pose a risk of harm to the health and safety, or a risk of adverse impact on fundamental rights, that is, in respect of its severity and probability of occurrence, equivalent to or greater than the risk of harm or of adverse impact posed by the high-risk AI systems already referred to in Annex III.deleted(b) the AI systems pose a risk of harm to the health and safety, or a risk of adverse
impact on fundamental rights, that is, in respect of its severity and probability of
occurrence, equivalent to or greater than the risk of harm or of adverse impact posed by the high-risk AI systems already referred to in Annex III.		(b) the AI systems pose a risk of harm to the health and safety, or a risk of adverse impact on fundamental rights, that is, in respect of its severity and probability of occurrence, equivalent to or greater than the risk of harm or of adverse impact posed by the high-risk AI systems already referred to in Annex III.
Article 7 – paragraph 1a (new)1a. The Commission is also empowered to adopt delegated acts in accordance with Article 73 to remove use-cases of high-risk AI systems from the list in Annex III if the conditions referred to in paragraph 1 no longer apply;

The Commission is authorized to adopt delegated acts in accordance with Article 73 to remove use-cases of high-risk AI systems from the list in Annex III, if the conditions mentioned in paragraph 1 no longer apply.
Article 7 – paragraph 2 – introductory part2. When assessing for the purposes of paragraph 1 whether an AI system poses a risk of harm to the health and safety or a risk of adverse impact on fundamental rights that is equivalent to or greater than the risk of harm posed by the high-risk AI systems already referred to in Annex III, the Commission shall take into account the following criteria:

2. When assessing an AI system for the purposes of paragraph 1 and 1a the Commission shall take into account the following criteria:

2. When assessing for the purposes of paragraph 1 whether an AI system poses a risk of harm to the health and safety or a risk of adverse impact on fundamental rights that is equivalent to or greater than the risk of harm posed by the high-risk AI systems already referred to in Annex III, the Commission shall take into account the following criteria:2. When assessing an AI system for the purposes of paragraph 1 and 1a, whether it poses a risk of harm to the health and safety or a risk of adverse impact on fundamental rights that is equivalent to or greater than the risk of harm posed by the high-risk AI systems already referred to in Annex III, the Commission shall take into account the following criteria:
Article 7 – paragraph 2 – point a (a) the intended purpose of the AI system;(a) the intended purpose of the AI system;(a) the intended purpose of the AI system;(a) the intended purpose of the AI system;
Article 7 – paragraph 2 – point aa (new)(aa) the general capabilities and functionalities of the AI system independent of its intended purpose;

The AI system should be evaluated based on its general capabilities and functionalities, irrespective of its intended purpose.
Article 7 – paragraph 2 – point b(b) the extent to which an AI system has been used or is likely to be used;(b) the extent to which an AI system has been used or is likely to be used;(b) the extent to which an AI system has been used or is likely to be used;(b) the extent to which an AI system has been used or is likely to be used;
Article 7 – paragraph 2 – point ba (new)(ba) the nature and amount of the data processed and used by the AI system;

The nature and volume of the data processed and utilized by the AI system.
Article 7 – paragraph 2 – point bb (new)(bb) the extent to which the AI system acts autonomously;The extent to which the AI system operates autonomously.
Article 7 – paragraph 2 – point c(c) the extent to which the use of an AI system has already caused harm to the health and safety or adverse impact on the fundamental rights or has given rise to significant concerns in relation to the materialisation of such harm or adverse impact, as demonstrated by reports or documented allegations submitted to national competent authorities;(c) the extent to which the use of an AI system has already caused harm to health and safety, has had an adverse impact on fundamental rights, the environment, democracy and the rule of law or has given rise to significant concerns in relation to the likelihood of such harm or adverse impact, as demonstrated for example by reports or documented allegations submitted to national supervisory authorities, to the Commission, to the AI Office, to the EDPS, or to the European Union Agency for Fundamental Rights;

(c) the extent to which the use of an AI system has already caused harm to the health and safety or adverse impact on the fundamental rights or has given rise to significant concerns in relation to the materialisation of such harm or adverse impact, as demonstrated by reports or documented allegations submitted to national competent authorities;
(c) the extent to which the use of an AI system has already caused harm to health and safety, has had an adverse impact on fundamental rights, the environment, democracy and the rule of law or has given rise to significant concerns in relation to the likelihood of such harm or adverse impact, as demonstrated by reports or documented allegations submitted to national competent authorities, to the Commission, to the AI Office, to the EDPS, or to the European Union Agency for Fundamental Rights;
Article 7 – paragraph 2 – point d(d) the potential extent of such harm or such adverse impact, in particular in terms of its intensity and its ability to affect a plurality of persons;

(d) the potential extent of such harm or such adverse impact, in particular in terms of its intensity and its ability to affect a plurality of persons or to disproportionately affect a particular group of persons;

(d) the potential extent of such harm or such adverse impact, in particular in terms of its intensity and its ability to affect a plurality of persons;(d) the potential extent of such harm or such adverse impact, in particular in terms of its intensity and its ability to affect a plurality of persons or to disproportionately affect a particular group of persons;
Article 7 – paragraph 2 – point e(e) the extent to which potentially harmed or adversely impacted persons are dependent on the outcome produced with an AI system, in particular because for practical or legal reasons it is not reasonably possible to opt-out from that outcome;

(e) the extent to which potentially harmed or adversely impacted persons are dependent on the output produced involving an AI system, and that output is purely accessory in respect of the relevant action or decision to be taken, in particular because for practical or legal reasons it is not reasonably possible to opt-out from that output;

(e) the extent to which potentially harmed or adversely impacted persons are dependent on the outcome produced with an AI system, in particular because for practical or legal reasons it is not reasonably possible to opt-out from that outcome;(e) the extent to which potentially harmed or adversely impacted persons are dependent on the outcome or output produced with or involving an AI system, in particular because for practical or legal reasons it is not reasonably possible to opt-out from that outcome or output; and that output is purely accessory in respect of the relevant action or decision to be taken.
Article 7 – paragraph 2 – point ea (new)(ea) the potential misuse and malicious use of the AI system and of the technology underpinning it;The potential misuse and malicious use of the AI system and of the technology underpinning it should be thoroughly examined and addressed.
Article 7 – paragraph 2 – point f(f) the extent to which potentially harmed or adversely impacted persons are in a vulnerable position in relation to the user of an AI system, in particular due to an imbalance of power, knowledge, economic or social circumstances, or age;(f) the extent to which there is an imbalance of power, or the potentially harmed or adversely impacted persons are in a vulnerable position in relation to the user of an AI system, in particular due to status, authority, knowledge, economic or social circumstances, or age;(f) the extent to which potentially harmed or adversely impacted persons are in a
vulnerable position in relation to the user of an AI system, in particular due to an
imbalance of power, knowledge, economic or social circumstances, or age;		(f) the extent to which there is an imbalance of power, or the potentially harmed or adversely impacted persons are in a vulnerable position in relation to the user of an AI system, in particular due to status, authority, imbalance of power, knowledge, economic or social circumstances, or age;
Article 7 – paragraph 2 – point g(g) the extent to which the outcome produced with an AI system is easily reversible, whereby outcomes having an impact on the health or safety of persons shall not be considered as easily reversible;(g) the extent to which the outcome produced involving an AI system is easily reversible or remedied, whereby outcomes having an adverse impact on health, safety, fundamental rights of persons, the environment, or on democracy and rule of law shall not be considered as easily reversible;

(g) the extent to which the outcome produced with an AI system is not easily reversible, whereby outcomes having an impact on the health or safety of persons shall not be considered as easily reversible;(g) the extent to which the outcome produced with an AI system is easily reversible or remedied, whereby outcomes having an adverse impact on health, safety, fundamental rights of persons, the environment, or on democracy and rule of law shall not be considered as easily reversible;
Article 7 – paragraph 2 – point ga (new)(ga) the extent of the availability and use of effective technical solutions and mechanisms for the control, reliability and corrigibility of the AI system;

The extent of the availability and use of effective technical solutions and mechanisms for the control, reliability, and corrigibility of the AI system.
Article 7 – paragraph 2 – point gb (new)(gb) the magnitude and likelihood of benefit of the deployment of the AI system for individuals, groups, or society at large, including possible improvements in product safety;

The potential benefits of deploying the AI system should be evaluated, considering the magnitude and likelihood of its impact on individuals, groups, or society at large. This includes potential enhancements in product safety.
Article 7 – paragraph 2 – point gc (new)(gc) the extent of human oversight and the possibility for a human to intercede in order to override a decision or recommendations that may lead to potential harm;

The extent of human oversight should be ensured, along with the provision for a human to intervene and override a decision or recommendations that may potentially lead to harm.
Article 7 – paragraph 2 – point h(h) the extent to which existing Union legislation provides for:

(i) effective measures of redress in relation to the risks posed by an AI system, with the exclusion of claims for damages;

(ii) effective measures to prevent or substantially minimise those risks.		(h) the extent to which existing Union law provides for:

(i) effective measures of redress in relation to the damage caused by an AI system, with the exclusion of claims for direct or indirect damages;

(ii) effective measures to prevent or substantially minimise those risks.

(h) the extent to which existing Union legislation provides for:

(i) effective measures of redress in relation to the risks posed by an AI system,
with the exclusion of claims for damages;

(ii) effective measures to prevent or substantially minimise those risks;		(h) the extent to which existing Union legislation provides for:

(i) effective measures of redress in relation to the risks or damage caused by an AI system, with the exclusion of claims for direct, indirect or any other damages;

(ii) effective measures to prevent or substantially minimise those risks.
Article 7 – paragraph 2 – point i (new)(i) the magnitude and likelihood of benefit of the AI use for individuals, groups, or society at large.The AI use should be evaluated based on the magnitude and likelihood of its benefit for individuals, groups, or society at large.
Article 7 – paragraph 3 (new) [C]3. The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend the list in Annex III by removing high-risk AI systems where both of the following conditions are fulfilled:
(a) the high-risk AI system(s) concerned no longer pose any significant risks to fundamental rights, health or safety, taking into account the criteria listed in paragraph 2;
(b) the deletion does not decrease the overall level of protection of health, safety and fundamental rights under Union law.		The Commission is authorized to adopt delegated acts in accordance with Article 73 to modify the list in Annex III by removing high-risk AI systems, provided that both of the following conditions are met:
(a) the high-risk AI system(s) in question no longer present any significant risks to fundamental rights, health or safety, considering the criteria listed in paragraph 2;
(b) the removal does not reduce the overall level of protection of health, safety, and fundamental rights under Union law.
Article 7 – paragraph 2a (new) [P]2a. When assessing an AI system for the purposes of paragraphs 1 or 1a the Commission shall consult the AI Office and, where relevant, representatives of groups on which an AI system has an impact, industry, independent experts, the social partners, and civil society organisations. The Commission shall also organise public consultations in this regard and shall make the results of those consultations and of the final assessment publicly available;

In assessing an AI system for the purposes outlined in paragraphs 1 or 1a, the Commission shall engage in consultation with the AI Office. Where applicable, the Commission shall also consult with representatives of groups impacted by the AI system, industry representatives, independent experts, social partners, and civil society organisations. To ensure transparency and public involvement, the Commission shall organise public consultations. The results of these consultations, along with the final assessment, shall be made publicly available.
Article 7 – paragraph 2b (new)2b. The AI Office, national supervisory authorities or the European Parliament may request the Commission to reassess and recategorise the risk categorisation of an AI systemin accordance with paragraphs 1 and 1a. The Commission shall give reasons for its decision and make them public.



The AI Office, national supervisory authorities, or the European Parliament may request the Commission to reassess and recategorise the risk categorisation of an AI system in accordance with paragraphs 1 and 1a. The Commission is obligated to provide reasons for its decision and make them public.

CHAPTER 2: Requirements for High-Risk AI Systems

Article 8
NumberingCommissionParliamentCouncilText proposed by the AI
CHAPTER IICHAPTER 2
REQUIREMENTS FOR HIGH-RISK AI SYSTEMS		CHAPTER 2
REQUIREMENTS FOR HIGH-RISK AI SYSTEMS		CHAPTER 2
REQUIREMENTS FOR HIGH-RISK AI SYSTEMS		None
Article 8Article 8
Compliance with the requirements		Article 8
Compliance with the requirements		Article 8
Compliance with the requirements		None
Article 8 – paragraph 11.High-risk AI systems shall comply with the requirements established in this Chapter.1.High-risk AI systems shall comply with the requirements established in this Chapter.1. High-risk AI systems shall comply with the requirements established in this Chapter, taking into account the generally acknowledged state of the art.1. High-risk AI systems shall comply with the requirements established in this Chapter, taking into account the generally acknowledged state of the art.
Article 8 – paragraph 1a (new)1a. In complying with the requirement established in this Chapter, due account shall be taken of guidelines developed as referred to in Article 82b, the generally acknowledged state of the art, including as reflected in the relevant harmonised standards and common specifications as referred to in articles 40 and 41 or those already set out in Union harmonisation law;.

In compliance with the requirements of this Chapter, due consideration should be given to the guidelines developed as mentioned in Article 82b, the universally recognized state of the art, including those reflected in the relevant harmonized standards and common specifications as referred to in Articles 40 and 41 or those already established in Union harmonization law.
Article 8 – paragraph 22. The intended purpose of the high-risk AI system and the risk management system referred to in Article 9 shall be taken into account when ensuring compliance with those requirements.2. The intended purpose of the high-risk AI system, the reasonably foreseeable misuses and the risk management system referred to in Article 9 shall be taken into account when ensuring compliance with those requirements.

2. The intended purpose of the high-risk AI system and the risk management system referred to in Article 9 shall be taken into account when ensuring compliance with those requirements.2. The intended purpose of the high-risk AI system, the reasonably foreseeable misuses, and the risk management system referred to in Article 9 shall be taken into account when ensuring compliance with those requirements.
Article 8 – paragraph 2a (new)2a. As long as the requirements of Title III, Chapters 2 and 3 or Title VIII, Chapters 1, 2 and 3 for high-risk AI systems are addressed by Union harmonisation law listed in Annex II, Section A, the requirements or obligations of those Chapters of this Regulation shall be deemed to be fulfilled, as long as they include the AI component. Requirements of Chapters 2 and 3 of Title III or Title VIII, Chapters 1, 2 and 3 for high-risk AI systems not addressed by Union harmonisation law listed in Annex II Section A, shall be incorporated into that Union harmonisation law, where applicable. The relevant conformity assessment shall be carried out as part of the procedures laid out under Union harmonisation law listed in Annex II, Section A.

As long as the requirements of Title III, Chapters 2 and 3 or Title VIII, Chapters 1, 2 and 3 for high-risk AI systems are addressed by Union harmonisation law listed in Annex II, Section A, the requirements or obligations of those Chapters of this Regulation shall be deemed to be fulfilled, provided they include the AI component. For high-risk AI systems not addressed by Union harmonisation law listed in Annex II Section A, the requirements of Chapters 2 and 3 of Title III or Title VIII, Chapters 1, 2 and 3 shall be incorporated into that Union harmonisation law, where applicable. The relevant conformity assessment shall be carried out as part of the procedures laid out under Union harmonisation law listed in Annex II, Section A.
Article 9
NumberingCommissionParliamentCouncilText proposed by the AI
Article 9Article 9
Risk management system		Article 9
Risk management system		Article 9
Risk management system		Article 9
Risk management system
Article 9 – paragraph 11. A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.

1. A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems, throughout the entire lifecycle of the AI system. The risk management system can be integrated into, or a part of, already existing risk management procedures relating to the relevant Union sectoral law insofar as it fulfils the requirements of this article.

1. A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.1. A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems, throughout the entire lifecycle of the AI system. This risk management system can be integrated into, or a part of, already existing risk management procedures relating to the relevant Union sectoral law insofar as it fulfils the requirements of this article.
Article 9 – paragraph 2 – introductory part2. The risk management system shall consist of a continuous iterative process run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic updating. It shall comprise the following steps:

2. The risk management system shall consist of a continuous iterative process run throughout the entire lifecycle of a high-risk AI system, requiring regular review and updating of the risk management process, to ensure its continuing effectiveness, and documentation of any significant decisions and actions taken subject to this Article. It shall comprise the following steps:

2. The risk management system shall be understood as a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic updating. It shall comprise the following steps:
2. The risk management system shall be understood as a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, requiring regular review and systematic updating of the risk management process, to ensure its continuing effectiveness, and documentation of any significant decisions and actions taken subject to this Article. It shall comprise the following steps:
Article 9 – paragraph 2 – point a(a) identification and analysis of the known and foreseeable risks associated with each high-risk AI system;(a) identification, estimation and evaluation of the known and the reasonably foreseeable risks that the high-risk AI system can pose to the health or safety of natural persons, their fundamental rights including equal access and opportunities, democracy and rule of law or the environement when the high-risk AI system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse;

(a) identification and analysis of the known and foreseeable risks most likely to occur to health, safety and fundamental rights in view of the intended purpose of the high-risk AI system;(a) Identification, analysis, estimation and evaluation of the known and the reasonably foreseeable risks that the high-risk AI system can pose to the health or safety of natural persons, their fundamental rights including equal access and opportunities, democracy and rule of law or the environment, most likely to occur in view of the intended purpose and under conditions of reasonably foreseeable misuse of the high-risk AI system.
Article 9 – paragraph 2 – point b(b) estimation and evaluation of the risks that may emerge when the high-risk AI system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse;deleteddeletedNone
Article 9 – paragraph 2 – point c(c) evaluation of other possibly arising risks based on the analysis of data gathered from the post-market monitoring system referred to in Article 61;(c) evaluation of emerging significant risks as described in point (a) and identified based on the analysis of data gathered from the post-market monitoring system referred to in Article 61;(c) evaluation of other possibly arising risks based on the analysis of data gathered from the post-market monitoring system referred to in Article 61;(c) evaluation of other possibly arising and emerging significant risks based on the analysis of data gathered from the post-market monitoring system referred to in Article 61;
Article 9 – paragraph 2 – point d(d) adoption of suitable risk management measures in accordance with the provisions of the following paragraphs.(d) adoption of appropriate and targeted risk management measures designed to address the risks identified pursuant to points a and b of this paragraph in accordance with the provisions of the following paragraphs(d) adoption of suitable risk management measures in accordance with the provisions of the following paragraphs.(d) adoption of suitable, appropriate and targeted risk management measures designed to address the risks identified pursuant to points a and b of this paragraph in accordance with the provisions of the following paragraphs.
Article 9 – paragraph 2 – subparagraph 2 (new)The risks referred to in this paragraph shall concern only those which may be reasonably mitigated or eliminated through the development or design of the high-risk AI system, or the provision of adequate technical information.The risks addressed in this context should only pertain to those that can be reasonably mitigated or eliminated through the development or design of the high-risk AI system, or by providing sufficient technical information.
Article 9 – paragraph 33. The risk management measures referred to in paragraph 2, point (d) shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in this Chapter 2. They shall take into account the generally acknowledged state of the art, including as reflected in relevant harmonised standards or common specifications.

3. The risk management measures referred to in paragraph 2, point (d) shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in this Chapter 2, with a view to mitigate risks effectively while ensuring an appropriate and proportionate implementation of the requirements.3. The risk management measures referred to in paragraph 2, point (d) shall give due consideration to the effects and possible interaction resulting from the combined application of the requirements set out in this Chapter 2, with a view to minimising risks more effectively while achieving an appropriate balance in implementing the measures to fulfil those requirements. 3. The risk management measures referred to in paragraph 2, point (d) shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in this Chapter 2. They shall take into account the generally acknowledged state of the art, including as reflected in relevant harmonised standards or common specifications, with a view to mitigating risks effectively and minimising them more effectively while ensuring an appropriate, proportionate, and balanced implementation of the measures to fulfil those requirements.
Article 9 – paragraph 4 – introductory part4. The risk management measures referred to in paragraph 2, point (d) shall be such that any residual risk associated with each hazard as well as the overall residual risk of the high-risk AI systems is judged acceptable, provided that the high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse. Those residual risks shall be communicated to the user.

In identifying the most appropriate risk management measures, the following shall be ensured:		4. The risk management measures referred to in paragraph 2, point (d) shall be such that relevant residual risk associated with each hazard as well as the overall residual risk of the high-risk AI systems is reasonably judged to be acceptable, provided that the high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse. Those residual risks and the reasoned judgements made shall be communicated to the deployer.

In identifying the most appropriate risk management measures, the following shall be ensured:

4. The risk management measures referred to in paragraph 2, point (d) shall be such that any residual risk associated with each hazard as well as the overall residual risk of the high-risk AI systems is judged acceptable.

In identifying the most appropriate risk management measures, the following shall be ensured:		4. The risk management measures referred to in paragraph 2, point (d) shall be such that any relevant residual risk associated with each hazard as well as the overall residual risk of the high-risk AI systems is reasonably judged to be acceptable, provided that the high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse. Those residual risks and the reasoned judgements made shall be communicated to the user or deployer.

In identifying the most appropriate risk management measures, the following shall be ensured:
Article 9 – paragraph 4 – subparagraph 1 – point a(a) elimination or reduction of risks as far as possible through adequate design and development;(a) elimination or reduction of identified risks as far as technically feasible through adequate design and development of the high-risk AI system, involving when relevant, experts and external stakeholders;

(a) elimination or reduction of risks identified and evaluated pursuant to paragraph 2 as far as possible through adequate design and development of the high risk AI system;(a) Elimination or reduction of identified and evaluated risks, as far as technically feasible and as far as possible, through adequate design and development of the high-risk AI system, involving, when relevant, experts and external stakeholders.
Article 9 – paragraph 4 – subparagraph 1 – point b(b) where appropriate, implementation of adequate mitigation and control measures in relation to risks that cannot be eliminated;(b) where appropriate, implementation of adequate mitigation and control measures addressing significant risks that cannot be eliminated;

(b) where appropriate, implementation of adequate mitigation and control measures in relation to risks that cannot be eliminated;(b) where appropriate, implementation of adequate mitigation and control measures in relation to significant risks that cannot be eliminated;
Article 9 – paragraph 4 – subparagraph 1 – point c
(c) provision of adequate information pursuant to Article 13, in particular as regards the risks referred to in paragraph 2, point (b) of this Article, and, where appropriate, training to users.

(c) provision of the required information pursuant to Article 13, and, where appropriate, training to deployers.(c) provision of adequate information pursuant to Article 13, in particular as regards the risks referred to in paragraph 2, point (b) of this Article, and, where appropriate,
training to users.		(c) provision of the required and adequate information pursuant to Article 13, in particular as regards the risks referred to in paragraph 2, point (b) of this Article, and, where appropriate, training to users and deployers.
Article 9 – paragraph 4 – subparagraph 2In eliminating or reducing risks related to the use of the high-risk AI system, due consideration shall be given to the technical knowledge, experience, education, training to be expected by the user and the environment in which the system is intended to be used.

In eliminating or reducing risks related to the use of the high-risk AI system, providers shall take into due consideration the technical knowledge, experience, education and training the deployer may need, including in relation to the presumable context of use.With a view to eliminating or reducing risks related to the use of the high-risk AI system, due consideration shall be given to the technical knowledge, experience, education, training to be expected by the user and the environment in which the system is intended to be used.
In the process of eliminating or reducing risks related to the use of the high-risk AI system, due consideration shall be given to the technical knowledge, experience, education, and training that may be expected from the user or needed by the deployer. This includes considering the environment and the presumable context in which the system is intended to be used.
Article 9 – paragraph 55. High-risk AI systems shall be tested for the purposes of identifying the most appropriate risk management measures. Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and they are in compliance with the requirements set out in this Chapter.5. High-risk AI systems shall be tested for the purposes of identifying the most appropriate and targeted risk management measures and weighing any such measures against the potential benefits and intended goals of the system. Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and they are in compliance with the requirements set out in this Chapter.

5. High-risk AI systems shall be tested in order to ensure that high-risk AI systems perform in a manner that is consistent with their intended purpose and they are in compliance with the requirements set out in this Chapter.5. High-risk AI systems shall be tested for the purposes of identifying the most appropriate and targeted risk management measures, and weighing any such measures against the potential benefits and intended goals of the system. This testing is to ensure that high-risk AI systems perform consistently for their intended purpose and they are in compliance with the requirements set out in this Chapter.
Article 9 – paragraph 66. Testing procedures shall be suitable to achieve the intended purpose of the AI system and do not need to go beyond what is necessary to achieve that purpose.6. Testing procedures shall be suitable to achieve the intended purpose of the AI system.

6. Testing procedures may include testing in real world conditions in accordance with Article 54a.6. Testing procedures shall be suitable and may include testing in real world conditions in accordance with Article 54a, to achieve the intended purpose of the AI system and do not need to go beyond what is necessary to achieve that purpose.
Article 9 – paragraph 77. The testing of the high-risk AI systems shall be performed, as appropriate, at any point in time throughout the development process, and, in any event, prior to the placing on the market or the putting into service. Testing shall be made against preliminarily defined metrics and probabilistic thresholds that are appropriate to the intended purpose of the high-risk AI system.

7. The testing of the high-risk AI systems shall be performed, prior to the placing on the market or the putting into service. Testing shall be made against prior defined metrics, and probabilistic thresholds that are appropriate to the intended purpose or reasonably foreseeable misuse of the high-risk AI system.

7. The testing of the high-risk AI systems shall be performed, as appropriate, at any point in time throughout the development process, and, in any event, prior to the placing on the market or the putting into service. Testing shall be made against preliminarily defined metrics and probabilistic thresholds that are appropriate to the intended purpose of the high-risk AI system.7. The testing of the high-risk AI systems shall be performed, as appropriate, at any point in time throughout the development process, and, in any event, prior to the placing on the market or the putting into service. Testing shall be made against preliminarily defined metrics and probabilistic thresholds that are appropriate to the intended purpose or reasonably foreseeable misuse of the high-risk AI system.
Article 9 – paragraph 88. When implementing the risk management system described in paragraphs 1 to 7, specific consideration shall be given to whether the high-risk AI system is likely to be accessed by or have an impact on children.8. When implementing the risk management system described in paragraphs 1 to 7, providers shall give specific consideration to whether the high-risk AI system is likely to adversely impact vulnerable groups of people or children.

8. The risk management system described in paragraphs 1 to 7 shall give specific
consideration to whether the high-risk AI system is likely to be accessed by or have an impact on persons under the age of 18.		8. When implementing the risk management system described in paragraphs 1 to 7, specific consideration shall be given to whether the high-risk AI system is likely to be accessed by or have an adverse impact on vulnerable groups, including children or persons under the age of 18.
Article 9 – paragraph 99. For credit institutions regulated by Directive 2013/36/EU, the aspects described in paragraphs 1 to 8 shall be part of the risk management procedures established by those institutions pursuant to Article 74 of that Directive.9. For providers and AI systems already covered by Union law that require them to establish a specific risk management, including credit institutions regulated by Directive 2013/36/EU, the aspects described in paragraphs 1 to 8 shall be part of or combined with the risk management procedures established by that Union law.

9. For providers of high-risk AI systems that are subject to requirements regarding internal risk management processes under relevant sectorial Union law, the aspects described in paragraphs 1 to 8 may be part of the risk management procedures established pursuant to that law.
9. For providers, including credit institutions regulated by Directive 2013/36/EU and providers of high-risk AI systems already covered by Union law, that require them to establish a specific risk management, the aspects described in paragraphs 1 to 8 may be part of or combined with the risk management procedures established pursuant to that Union law or relevant sectorial Union law.
Article 10
NumberingCommissionParliamentCouncilText proposed by the AI
Article 10Article 10
Data and data governance		Article 10
Data and data governance		Article 10
Data and data governance		None
Article 10 – paragraph 1
1. High-risk AI systems which make use of techniques involving the training of models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5.

1. High-risk AI systems which make use of techniques involving the training of models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5 as far as this is technically feasible according to the specific market segment or scope of application.

Techniques that do not require labelled input data such as unsupervised learning and reinforcement learning shall be developed on the basis of data sets such as for testing and verification that meet the quality criteria referred to in paragraphs 2 to 5.

1. High-risk AI systems which make use of techniques involving the training of models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5.1. High-risk AI systems which make use of techniques involving the training of models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5. This should be technically feasible according to the specific market segment or scope of application. Techniques that do not require labelled input data such as unsupervised learning and reinforcement learning shall also be developed on the basis of data sets for testing and verification that meet the quality criteria referred to in paragraphs 2 to 5.
Article 10 – paragraph 2 – introductory part2. Training, validation and testing data sets shall be subject to appropriate data governance and management practices. Those practices shall concern in particular,2. Training, validation and testing data sets shall be subject to data governance appropriate for the context of use as well as the intended purpose of the AI system. Those measures shall concern in particular,

2. Training, validation and testing data sets shall be subject to appropriate data governance and management practices. Those practices shall concern in particular,2. Training, validation and testing data sets shall be subject to appropriate data governance and management practices suitable for the context of use and the intended purpose of the AI system. Those practices shall concern in particular,
Article 10 – paragraph 2 – point a(a) the relevant design choices;(a) the relevant design choices;(a) the relevant design choices;(a) the relevant design choices;
Article 10 – paragraph 2 – point aa (new)(aa) transparency as regards the original purpose of data collection;Transparency should be maintained concerning the original purpose of data collection.
Article 10 – paragraph 2 – point b(b) data collection;(b) data collection processes;(b) data collection processes;(b) data collection processes;
Article 10 – paragraph 2 – point c
(c) relevant data preparation processing operations, such as annotation, labelling, cleaning, enrichment and aggregation;

(c) data preparation processing operations, such as annotation, labelling, cleaning, updating enrichment and aggregation;

(c) relevant data preparation processing operations, such as annotation, labelling,
cleaning, enrichment and aggregation;		(c) relevant data preparation processing operations, such as annotation, labelling, cleaning, updating enrichment and aggregation;
Article 10 – paragraph 2 – point d(d) the formulation of relevant assumptions, notably with respect to the information that the data are supposed to measure and represent;

(d) the formulation of assumptions, notably with respect to the information that the data are supposed to measure and represent;

(d) the formulation of relevant assumptions, notably with respect to the information that the data are supposed to measure and represent; (d) the formulation of relevant assumptions, notably with respect to the information that the data are supposed to measure and represent;
Article 10 – paragraph 2 – point e
(e) a prior assessment of the availability, quantity and suitability of the data sets that are needed;(e) an assessment of the availability, quantity and suitability of the data sets that are needed;

(e) a prior assessment of the availability, quantity and suitability of the data sets that are needed;(e) a prior assessment of the availability, quantity and suitability of the data sets that are needed;
Article 10 – paragraph 2 – point f(f) examination in view of possible biases;(f) examination in view of possible biases that are likely to affect the health and safety of persons, negatively impact fundamental rights or lead to discrimination prohibited under Union law, especially where data outputs influence inputs for future operations (‘feedback loops’) and appropriate measures to detect, prevent and mitigate possible biases;

(f) examination in view of possible biases that are likely to affect health and safety of natural persons or lead to discrimination prohibited by Union law;(f) examination in view of possible biases that are likely to affect the health and safety of persons or natural persons, negatively impact fundamental rights or lead to discrimination prohibited under Union law, especially where data outputs influence inputs for future operations (‘feedback loops’), and appropriate measures to detect, prevent and mitigate possible biases.
Article 10 – paragraph 2 – point fa (new)(fa) appropriate measures to detect, prevent and mitigate possible biases“Appropriate measures should be implemented to detect, prevent, and mitigate possible biases.”
Article 10 – paragraph 2 – point g(g) the identification of any possible data gaps or shortcomings, and how those gaps and shortcomings can be addressed.(g) the identification of relevant data gaps or shortcomings that prevent compliance with this Regulation, and how those gaps and shortcomings can be addressed;

(g) the identification of any possible data gaps or shortcomings, and how those gaps and shortcomings can be addressed.(g) the identification of any relevant data gaps or shortcomings that may prevent compliance with this Regulation, and how those gaps and shortcomings can be addressed.
Article 10 – paragraph 33. Training, validation and testing data sets shall be relevant, representative, free of errors and complete. They shall have the appropriate statistical properties, including, where applicable, as regards the persons or groups of persons on which the high-risk AI system is intended to be used. These characteristics of the data sets may be met at the level of individual data sets or a combination thereof.

3. Training datasets, and where they are used, validation and testing datasets, including the labels, shall be relevant, sufficiently representative, appropriately vetted for errors and be as complete as possible in view of the intended purpose. They shall have the appropriate statistical properties, including, where applicable, as regards the persons or groups of persons in relation to whom the high-risk AI system is intended to be used. These characteristics of the datasets shall be met at the level of individual datasets or a combination thereof.

3. Training, validation and testing data sets shall be relevant, representative, and to the best extent possible, free of errors and complete. They shall have the appropriate statistical properties, including, where applicable, as regards the persons or groups of persons on which the high-risk AI system is intended to be used. These characteristics of the data sets may be met at the level of individual data sets or a combination thereof.3. Training, validation and testing data sets, including the labels where they are used, shall be relevant, representative, and to the best extent possible, free of errors and complete. They shall have the appropriate statistical properties, including, where applicable, as regards the persons or groups of persons on which the high-risk AI system is intended to be used. These characteristics of the data sets shall be met at the level of individual data sets or a combination thereof, in view of the intended purpose.
Article 10 – paragraph 44. Training, validation and testing data sets shall take into account, to the extent required by the intended purpose, the characteristics or elements that are particular to the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to beused.

4. Datasets shall take into account, to the extent required by the intended purpose or reasonably foreseeable misuses of the AI system, the characteristics or elements that are particular to the specific geographical, contextual behavioural or functional setting within which the high-risk AI system is intended to be used.

4. Training, validation and testing data sets shall take into account, to the extent required by the intended purpose, the characteristics or elements that are particular to the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to be used. 4. Training, validation and testing data sets shall take into account, to the extent required by the intended purpose or reasonably foreseeable misuses of the AI system, the characteristics or elements that are particular to the specific geographical, contextual behavioural or functional setting within which the high-risk AI system is intended to be used.
Article 10 – paragraph 55. To the extent that it is strictly necessary for the purposes of ensuring bias monitoring, detection and correction in relation to the high-risk AI systems, the providers of such systems may process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including technical limitations on the re-use and use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.

5. To the extent that it is strictly necessary for the purposes of ensuring negative bias detection and correction in relation to the high-risk AI systems, the providers of such systems may exceptionally process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including technical limitations on the re-use and use of state-of-the-art security and privacy-preserving. In particular, all the following conditions shall apply in order for this processing to occur:

(a) the bias detection and correction cannot be effectively fulfilled by processing synthetic or anonymised data;
(b) the data are pseudonymised;
(c) the provider takes appropriate technical and organisational measures to ensure that the data processed for the purpose of this paragraph are secured, protected, subject to suitable safeguards and only authorised persons have access to those data with appropriate confidentiality obligations;
(d) the data processed for the purpose of this paragraph are not to be transmitted, transferred or otherwise accessed by other parties;
(e) the data processed for the purpose of this paragraph are protected by means of appropriate technical and organisational measures and deleted once the bias has been corrected or the personal data has reached the end of its retention period;
(f) effective and appropriate measures are in place to ensure availability, security and resilience of processing systems and services against technical or physical incidents;
(g) effective and appropriate measures are in place to ensure physical security of locations where the data are stored and processed, internal IT and IT security governance and management, certification of processes and products;

Providers having recourse to this provision shall draw up documentation explaining why the processing of special categories of personal data was necessary to detect and correct biases.		5. To the extent that it is strictly necessary for the purposes of ensuring bias monitoring, detection and correction in relation to the high-risk AI systems, the providers of such systems may process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including technical limitations on the re-use and use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.5. To the extent that it is strictly necessary for the purposes of ensuring bias monitoring, detection and correction in relation to the high-risk AI systems, the providers of such systems may, under exceptional circumstances, process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725. This processing is subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including technical limitations on the re-use and use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.

The following conditions must be met for this processing to occur:

(a) the bias detection and correction cannot be effectively fulfilled by processing synthetic or anonymised data;
(b) the data are pseudonymised;
(c) the provider takes appropriate technical and organisational measures to ensure that the data processed for the purpose of this paragraph are secured, protected, subject to suitable safeguards and only authorised persons have access to those data with appropriate confidentiality obligations;
(d) the data processed for the purpose of this paragraph are not to be transmitted, transferred or otherwise accessed by other parties;
(e) the data processed for the purpose of this paragraph are protected by means of appropriate technical and organisational measures and deleted once the bias has been corrected or the personal data has reached the end of its retention period;
(f) effective and appropriate measures are in place to ensure availability, security and resilience of processing systems and services against technical or physical incidents;
(g) effective and appropriate measures are in place to ensure physical security of locations where the data are stored and processed, internal IT and IT security governance and management, certification of processes and products;

Providers having recourse to this provision shall draw up documentation explaining why the processing of special categories of personal data was necessary to detect and correct biases.
Article 10 – paragraph 66. Appropriate data governance and management practices shall apply for the development of high-risk AI systems other than those which make use of techniques involving the training of models in order to ensure that those high-risk AI systems comply with paragraph 2.6. Appropriate data governance and management practices shall apply for the development of high-risk AI systems other than those which make use of techniques involving the training of models in order to ensure that those high-risk AI systems comply with paragraph 2.6. For the development of high-risk AI systems not using techniques involving the training of models, paragraphs 2 to 5 shall apply only to the testing data sets.6. Appropriate data governance and management practices shall apply for the development of high-risk AI systems, excluding those which make use of techniques involving the training of models, to ensure compliance with paragraph 2. For these systems, paragraphs 2 to 5 shall apply only to the testing data sets.
Article 10 – paragraph 6a (new)6a. Where the provider cannot comply with the obligations laid down in this Article because that provider does not have access to the data and the data is held exclusively by the deployer, the deployer may, on the basis of a contract, be made responsible for any infringement of this Article.

Where the provider is unable to comply with the obligations outlined in this Article due to lack of access to the data, and the data is held exclusively by the deployer, the deployer may be held responsible for any infringement of this Article, based on the terms of a contract.
Article 11
NumberingCommissionParliamentCouncilText proposed by the AI
Article 11Article 11
Technical documentation		Article 11
Technical documentation		Article 11
Technical documentation		Article 11
Technical documentation
Article 11 – paragraph 1The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to date.

The technical documentation shall be drawn up in such a way to demonstrate that the high-risk AI system complies with the requirements set out in this Chapter and provide national competent authorities and notified bodies with all the necessary information to assess the compliance of the AI system with those requirements. It shall contain, at a minimum, the elements set out in Annex IV.

The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to date.

The technical documentation shall be drawn up in such a way to demonstrate that the high-risk AI system complies with the requirements set out in this Chapter and provide national supervisory authorities and notified bodies with the necessary information to assess the compliance of the AI system with those requirements. It shall contain, at a minimum, the elements set out in Annex IV or, in the case of SMEs and start-ups, any equivalent documentation meeting the same objectives, subject to approval of the competent national authority.

1. The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to date.

The technical documentation shall be drawn up in such a way to demonstrate that the high- risk AI system complies with the requirements set out in this Chapter and provide national competent authorities and notified bodies with all the necessary information in a clear and comprehensive form to assess the compliance of the AI system with those requirements. It shall contain, at a minimum, the elements set out in Annex IV or, in the case of SMEs, including start-ups, any equivalent documentation meeting the same objectives, unless deemed inappropriate by the competent authority.		The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to date.

The technical documentation shall be drawn up in such a way to demonstrate that the high-risk AI system complies with the requirements set out in this Chapter and provide national competent authorities, supervisory authorities, and notified bodies with all the necessary information in a clear and comprehensive form to assess the compliance of the AI system with those requirements. It shall contain, at a minimum, the elements set out in Annex IV or, in the case of SMEs and start-ups, any equivalent documentation meeting the same objectives, subject to approval of the competent national authority, unless deemed inappropriate by the same authority.
Article 11 – paragraph 22. Where a high-risk AI system related to a product, to which the legal acts listed in Annex II, section A apply, is placed on the market or put into service one single technical documentation shall be drawn up containing all the information set out in Annex IV as well as the information required under those legal acts.

2. Where a high-risk AI system related to a product, to which the legal acts listed in Annex II, section A apply, is placed on the market or put into service one single technical documentation shall be drawn up containing all the information set out in paragraph 1 as well as the information required under those legal acts.

2. Where a high-risk AI system related to a product, to which the legal acts listed in Annex II, section A apply, is placed on the market or put into service one single technical documentation shall be drawn up containing all the information set out in Annex IV as well as the information required under those legal acts.2. Where a high-risk AI system related to a product, to which the legal acts listed in Annex II, section A apply, is placed on the market or put into service one single technical documentation shall be drawn up containing all the information set out in Annex IV and paragraph 1 as well as the information required under those legal acts.
Article 11 – paragraph 33. The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend Annex IV where necessary to ensure that, in the light of technical progress, the technical documentation provides all the necessary information to assess the compliance of the system with the requirements set out in this Chapter.3. The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend Annex IV where necessary to ensure that, in the light of technical progress, the technical documentation provides all the necessary information to assess the compliance of the system with the requirements set out in this Chapter.3. The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend Annex IV where necessary to ensure that, in the light of technical progress, the technical documentation provides all the necessary information to assess the compliance of the system with the requirements set out in this Chapter.3. The Commission is empowered to adopt delegated acts in accordance with Article 73 to amend Annex IV where necessary to ensure that, in the light of technical progress, the technical documentation provides all the necessary information to assess the compliance of the system with the requirements set out in this Chapter.
Article 11 – paragraph 3a (new)3a. Providers that are credit institutions regulated by Directive 2013/36/EU shall maintain the technical documentation as part of the documentation concerning internal governance, arrangements, processes and mechanisms pursuant to Article 74 of that Directive.

Credit institutions regulated by Directive 2013/36/EU, acting as providers, are required to maintain the technical documentation. This should be incorporated as part of the documentation concerning internal governance, arrangements, processes, and mechanisms in accordance with Article 74 of the same Directive.
Article 12
NumberingCommissionParliamentCouncilText proposed by the AI
Article 12 Article 12
Record-keeping		Article 12
Record-keeping		Article 12
Record-keeping		Article 12
Record-keeping
Article 12 – paragraph 11. High-risk AI systems shall be designed and developed with capabilities enabling the automatic recording of events (‘logs’) while the high-risk AI systems is operating. Those logging capabilities shall conform to recognised standards or common specifications.

1. High-risk AI systems shall be designed and developed with capabilities enabling the automatic recording of events (‘logs’) while the high-risk AI systems is operating. Those logging capabilities shall conform to the state of the art and recognised standards or common specifications.

1. High-risk AI systems shall technically allow for the automatic recording of events (‘logs’) over the duration of the life cycle of the system.1. High-risk AI systems shall be designed and developed with capabilities enabling the automatic recording of events (‘logs’) over the duration of the life cycle of the system while the high-risk AI systems is operating. Those logging capabilities shall conform to the state of the art, recognised standards or common specifications.
Article 12 – paragraph 22. The logging capabilities shall ensure a level of traceability of the AI system’s functioning throughout its lifecycle that is appropriate to the intended purpose of the system.

2. In order to ensure a level of traceability of the AI system’s functioning throughout its entire lifetime that is appropriate to the intended purpose of the system, the logging capabilities shall facilitate the monitoring of operations as referred to in Article 29(4) as well as the post market monitoring referred to in Article 61. In particular, they shall enable the recording of events relevant for the identification of situations that may:
(a) result in the AI system presenting a risk within the meaning of Article65(1); or
(b) lead to a substantial modification of the AI system.		2. In order to ensure a level of traceability of the AI system’s functioning that is appropriate to the intended purpose of the system, logging capabilities shall enable the recording of events relevant for:
(i) identification of situations that may result in the AI system presenting a risk within the meaning of Article 65(1) or in a substantial modification;
(ii) facilitation of the post-market monitoring referred to in Article 61; and
(iii) monitoring of the operation of high-risk AI systems referred to in Article 29(4).		2. To ensure a level of traceability of the AI system’s functioning throughout its lifecycle that is appropriate to the intended purpose of the system, the logging capabilities shall facilitate the monitoring of operations as referred to in Article 29(4), the post-market monitoring referred to in Article 61, and enable the recording of events relevant for the identification of situations that may:
(a) result in the AI system presenting a risk within the meaning of Article 65(1); or
(b) lead to a substantial modification of the AI system. This includes the operation of high-risk AI systems.
Article 12 – paragraph 2a (new)2a. High-risk AI systems shall be designed and developed with, the logging capabilities enabling the recording of energy consumption, the measurement or calculation of resource use and environmental impact of the high-risk AI system during all phases of the system’s lifecycle.

High-risk AI systems should be designed and developed with logging capabilities that enable the recording of energy consumption, as well as the measurement or calculation of resource use and environmental impact during all phases of the system’s lifecycle.
Article 12 – paragraph 33. In particular, logging capabilities shall enable the monitoring of the operation of the high-risk AI system with respect to the occurrence of situations that may result in the AI system presenting a risk within the meaning of Article 65(1) or lead to a substantial modification, and facilitate the post-market monitoring referred to in Article 61.

deleteddeletedNone
Article 12 – paragraph 44. For high-risk AI systems referred to in paragraph 1, point (a) of Annex III, the logging capabilities shall provide, at a minimum:
(a) recording of the period of each use of the system (start date and time and end date and time of each use);
(b) the reference database against which input data has been checked by the system;
(c) the input data for which the search has led to a match;
(d) the identification of the natural persons involved in the verification of the results, as referred to in Article 14 (5).		4. For high-risk AI systems referred to in paragraph 1, point (a) of Annex III, the logging capabilities shall provide, at a minimum:
(a) recording of the period of each use of the system (start date and time and end date and time of each use);
(b) the reference database against which input data has been checked by the system;
(c) the input data for which the search has led to a match;
(d) the identification of the natural persons involved in the verification of the results, as referred to in Article 14 (5).		4. For high-risk AI systems referred to in paragraph 1, point (a) of Annex III, the logging capabilities shall provide, at a minimum:
(a) recording of the period of each use of the system (start date and time and end date and time of each use);
(b) the reference database against which input data has been checked by the system;
(c) the input data for which the search has led to a match;
(d) the identification of the natural persons involved in the verification of the results, as referred to in Article 14 (5).		4. For high-risk AI systems referred to in paragraph 1, point (a) of Annex III, the logging capabilities shall provide, at a minimum:
(a) recording of the period of each use of the system (start date and time and end date and time of each use);
(b) the reference database against which input data has been checked by the system;
(c) the input data for which the search has led to a match;
(d) the identification of the natural persons involved in the verification of the results, as referred to in Article 14 (5).
Article 13
NumberingCommissionParliamentCouncilText proposed by the AI
Article 13
Article 13
Transparency and provision of information to users

Article 13
Transparency and provision of information		Article 13
Transparency and provision of information to users		Article 13
Transparency and provision of information to users
Article 13 – paragraph 11. High-risk AI systems shall be designed and developed in such a way to ensure that their operation is sufficiently transparent to enable users to interpret the system’s output and use it appropriately.

An appropriate type and degree of transparency shall be ensured, with a view to achieving compliance with the relevant obligations of the user and of the provider set out in Chapter 3 of this Title.		1. High-risk AI systems shall be designed and developed in such a way to ensure that their operation is sufficiently transparent to enable providers and users to reasonably understand the system’s functioning. Appropriate transparency shall be ensured in accordance with the intended purpose of the AI system, with a view to achieving compliance with the relevant obligations of the provider and user set out in Chapter 3 of this Title.

Transparency shall thereby mean that, at the time the high-risk AI system is placed on the market, all technical means available in accordance with the generally acknowledged state of art are used to ensure that the AI system’s output is interpretable by the provider and the user. The user shall be enabled to understand and use the AI system appropriately by generally knowing how the AI system works and what data it processes, allowing the user to explain the decisions taken by the AI system to the affected person pursuant to Article 68(c).
1. High-risk AI systems shall be designed and developed in such a way to ensure that their operation is sufficiently transparent with a view to achieving compliance with the relevant obligations of the user and of the provider set out in Chapter 3 of this Title and enabling users to understand and use the system appropriately.
1. High-risk AI systems shall be designed and developed in such a way to ensure that their operation is sufficiently transparent to enable providers and users to interpret and reasonably understand the system’s functioning and output. An appropriate type and degree of transparency shall be ensured, in accordance with the intended purpose of the AI system and the generally acknowledged state of art, with a view to achieving compliance with the relevant obligations of the user and of the provider set out in Chapter 3 of this Title.

Transparency shall thereby mean that, at the time the high-risk AI system is placed on the market, all technical means available are used to ensure that the AI system’s output is interpretable by the provider and the user. The user shall be enabled to understand and use the AI system appropriately by generally knowing how the AI system works and what data it processes, allowing the user to explain the decisions taken by the AI system to the affected person pursuant to Article 68(c).
Article 13 – paragraph 22. High-risk AI systems shall be accompanied by instructions for use in an appropriate digital format or otherwise that include concise, complete, correct and clear information that is relevant, accessible and comprehensible to users.2. High-risk AI systems shall be accompanied by intelligible instructions for use in an appropriate digital format or made otherwise available in a durable medium that include concise, correct, clear and to the extent possible complete information that helps operating and maintaining the AI system as well as supporting informed decision-making by users and is reasonably relevant, accessible and comprehensible to users .

2. High-risk AI systems shall be accompanied by instructions for use in an appropriate digital format or otherwise that include concise, complete, correct and clear information that is relevant, accessible and comprehensible to users.2. High-risk AI systems shall be accompanied by instructions for use in an appropriate digital format or otherwise available in a durable medium that include concise, complete, correct, and clear information that is relevant, accessible, and comprehensible to users. This information should support informed decision-making by users and help in operating and maintaining the AI system.
Article 13 – paragraph 3 – introductory part3. The information referred to in paragraph 2 shall specify:3. To achieve the outcomes referred to in paragraph 1, information referred to in paragraph 2 shall specify:

3. The information referred to in paragraph 2 shall specify:3. To achieve the outcomes referred to in paragraph 1, the information referred to in paragraph 2 shall specify:
Article 13 – paragraph 3 – point a
(a) the identity and the contact details of the provider and, where applicable, of its authorised representative;(a) the identity and the contact details of the provider and, where applicable, of its authorised representatives;(a) the identity and the contact details of the provider and, where applicable, of its
authorised representative;		(a) the identity and the contact details of the provider and, where applicable, of its authorised representative or representatives;
Article 13 – paragraph 3 – point aa (new)
(aa) where it is not the same as the provider, the identity and the contact details of the entity that carried out the conformity assessment and, where applicable, of its authorised representative;

In cases where the provider is not the same entity, the identity and contact details of the entity that conducted the conformity assessment should be provided, along with the details of its authorized representative, if applicable.
Article 13 – paragraph 3 – point b – introductory part(b) the characteristics, capabilities and limitations of performance of the high-risk AI system, including:(b) the characteristics, capabilities and limitations of performance of the high-risk AI system, including, where appropriate:

(b) the characteristics, capabilities and limitations of performance of the high-risk AI system, including:(b) the characteristics, capabilities and limitations of performance of the high-risk AI system, including, where appropriate:
Article 13 – paragraph 3 – point b – point i(i) its intended purpose;(i) its intended purpose;(i) its intended purpose, inclusive of the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to be used;(i) its intended purpose, including the specific geographical, behavioural or functional setting within which the high-risk AI system is intended to be used;
Article 13 – paragraph 3 – point b – point ii(ii) the level of accuracy, robustness and cybersecurity referred to in Article 15 against which the high-risk AI system has been tested and validated and which can be expected, and any known and foreseeable circumstances that may have an impact on that expected level of accuracy, robustness and cybersecurity;(ii) the level of accuracy, robustness and cybersecurity referred to in Article 15 against which the high-risk AI system has been tested and validated and which can be expected, and any clearly known and foreseeable circumstances that may have an impact on that expected level of accuracy, robustness and cybersecurity;(ii) the level of accuracy, including its metrics, robustness and cybersecurity referred to in Article 15 against which the high-risk AI system has been tested and validated and which can be expected, and any known and foreseeable circumstances that may have an impact on that expected level of accuracy, robustness and cybersecurity;(ii) the level of accuracy, including its metrics, robustness and cybersecurity referred to in Article 15 against which the high-risk AI system has been tested and validated and which can be expected, and any clearly known and foreseeable circumstances that may have an impact on that expected level of accuracy, robustness and cybersecurity;
Article 13 – paragraph 3 – point b – point iii(iii) any known or foreseeable circumstance, related to the use of the high-risk AI system in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to risks to the health and safety or fundamental rights;(iii)  any clearly known or foreseeable circumstance, related to the use of the high-risk AI system in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to risks to the health and safety, fundamental rights or the environment, including, where appropriate, illustrative examples of such limitations and of scenarios for which the system should not be used;(iii) any known or foreseeable circumstance, related to the use of the high-risk AI system in accordance with its intended purpose, which may lead to risks to the health and safety or fundamental rights referred to in Aricle 9(2);(iii) any clearly known or foreseeable circumstance, related to the use of the high-risk AI system in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to risks to the health and safety, fundamental rights referred to in Article 9(2), or the environment, including, where appropriate, illustrative examples of such limitations and of scenarios for which the system should not be used;
Article 13 – paragraph 3 – point b – point iiia (new)(iiia) the degree to which the AI system can provide an explanation for decisions it takes;The AI system should have the capability to provide a comprehensive explanation for the decisions it makes.
Article 13 – paragraph 3 – point b – point iv(iv) its performance as regards the persons or groups of persons on which the system is intended to be used;(iv) its performance as regards the persons or groups of persons on which the system is intended to be used;(iv) when appropriate, its behaviour regarding specific persons or groups of persons on which the system is intended to be used;(iv) its performance and, when appropriate, its behaviour regarding the persons or groups of persons on which the system is intended to be used;
Article 13 – paragraph 3 – point b – point v(v)  when appropriate, specifications for the input data, or any other relevant information in terms of the training, validation and testing data sets used, taking into account the intended purpose of the AI system.(v)  relevant information about user actions that may influence system performance, including type or quality of input data, or any other relevant information in terms of the training, validation and testing data sets used, taking into account the intended purpose of the AI system.(v) when appropriate, specifications for the input data, or any other relevant information in terms of the training, validation and testing data sets used, taking into account the intended purpose of the AI system;(v) When appropriate, specifications for the input data, including relevant information about user actions that may influence system performance, or any other relevant information in terms of the training, validation and testing data sets used, taking into account the intended purpose of the AI system.
Article 13 – paragraph 3 – point b – point vi (new)(vi) when appropriate, description of the expected output of the system.When deemed suitable, a description of the expected output of the system should be provided.
Article 13 – paragraph 3 – point c(c) the changes to the high-risk AI system and its performance which have been pre-determined by the provider at the moment of the initial conformity assessment, if any; (c) the changes to the high-risk AI system and its performance which have been pre-determined by the provider at the moment of the initial conformity assessment, if any; (c) the changes to the high-risk AI system and its performance which have been pre- determined by the provider at the moment of the initial conformity assessment, if any;(c) the changes to the high-risk AI system and its performance which have been pre-determined by the provider at the moment of the initial conformity assessment, if any;
Article 13 – paragraph 3 – point d(d) the human oversight measures referred to in Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users;(d) the human oversight measures referred to in Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users;(d) the human oversight measures referred to in Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users;(d) the human oversight measures referred to in Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users;
Article 13 – paragraph 3 – point e(e)  the expected lifetime of the high-risk AI system and any necessary maintenance and care measures to ensure the proper functioning of that AI system, including as regards software updates.(e)  any necessary maintenance and care measures to ensure the proper functioning of that AI system, including as regards software updates, through its expected lifetime.(e) the computational and hardware resources needed, the expected lifetime of the high- risk AI system and any necessary maintenance and care measures, including their frequency, to ensure the proper functioning of that AI system, including as regards software updates;(e) The expected lifetime of the high-risk AI system, the computational and hardware resources needed, and any necessary maintenance and care measures, including their frequency and as regards software updates, to ensure the proper functioning of that AI system throughout its expected lifetime.
Article 13 – paragraph 3 – point ea [p] / point f [C] (new)(ea) a description of the mechanisms included within the AI system that allows users to properly collect, store and interpret the logs in accordance with Article 12(1).(f) a description of the mechanism included within the AI system that allows users to properly collect, store and interpret the logs, where relevant.(f) a description of the mechanisms included within the AI system that allows users to properly collect, store and interpret the logs in accordance with Article 12(1), where relevant.
Article 13 – paragraph 3 – point eb (new)(eb) The information shall be provided at least in the language of the country where the AI system is used.The information should be provided at least in the language of the country where the AI system is used.
Article 13 – paragraph 3 a (new)3a. In order to comply with the obligations laid down in this Article, providers and users shall ensure a sufficient level of AI literacy in line with Article 4b.In order to fulfill the obligations outlined in this Article, it is necessary for both providers and users to ensure an adequate level of AI literacy, as stipulated in Article 4b.
Article 14
NumberingCommissionParliamentCouncilText proposed by the AI
Article 14Article 14
Human oversight		Article 14
Human oversight		Article 14
Human oversight		Article 14
Human oversight
Article 14 – paragraph 11. High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which the AI system is in use.1. High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they be effectively overseen by natural persons as proportionate to the risks associated with those systems. Natural persons in charge of ensuring human oversight shall have sufficient level of AI literacy in accordance with Article 4b and the necessary support and authority to exercise that function, during the period in which the AI system is in use and to allow for thorough investigation after an incident.1. High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which the AI system is in use.1. High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which the AI system is in use. The oversight by natural persons should be proportionate to the risks associated with those systems. Natural persons in charge of ensuring human oversight shall have sufficient level of AI literacy in accordance with Article 4b and the necessary support and authority to exercise that function, and to allow for thorough investigation after an incident.
Article 14 – paragraph 22. Human oversight shall aim at preventing or minimising the risks to health, safety or fundamental rights that may emerge when a high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, in particular when such risks persist notwithstanding the application of other requirements set out in this Chapter.2. Human oversight shall aim at preventing or minimising the risks to health, safety, fundamental rights or environment that may emerge when a high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, in particular when such risks persist notwithstanding the application of other requirements set out in this Chapter and where decisions based solely on automated processing by AI systems produce legal or otherwise significant effects on the persons or groups of persons on which the system is to be used.2. Human oversight shall aim at preventing or minimising the risks to health, safety or fundamental rights that may emerge when a high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, in particular when such risks persist notwithstanding the application of other requirements set out in this Chapter2. Human oversight shall aim at preventing or minimising the risks to health, safety, fundamental rights or environment that may emerge when a high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, in particular when such risks persist notwithstanding the application of other requirements set out in this Chapter and where decisions based solely on automated processing by AI systems produce legal or otherwise significant effects on the persons or groups of persons on which the system is to be used.
Article 14 – paragraph 3 – introductory part3. Human oversight shall be ensured through either one or all of the following measures:3. Human oversight shall take into account the specific risks, the level of automation, and context of the AI system and shall be ensured through either one or all of the following types of measures:3. Human oversight shall be ensured through either one or all of the following types of measures:3. Human oversight shall take into account the specific risks, the level of automation, and context of the AI system and shall be ensured through either one or all of the following types of measures:
Article 14 – paragraph 3 – point a(a)identified and built, when technically feasible, into the high-risk AI system by the provider before it is placed on the market or put into service(a)identified and built, when technically feasible, into the high-risk AI system by the provider before it is placed on the market or put into service(a) measures identified and built, when technically feasible, into the high-risk AI system by the provider before it is placed on the market or put into service;(a) measures identified and built, when technically feasible, into the high-risk AI system by the provider before it is placed on the market or put into service;
Article 14 – paragraph 3 – point b(b) identified by the provider before placing the high-risk AI system on the market or putting it into service and that are appropriate to be implemented by the user.(b) identified by the provider before placing the high-risk AI system on the market or putting it into service and that are appropriate to be implemented by the user.(b) measures identified by the provider before placing the high-risk AI system on the market or putting it into service and that are appropriate to be implemented by the user.(b) measures identified by the provider before placing the high-risk AI system on the market or putting it into service and that are appropriate to be implemented by the user.
Article 14 – paragraph 4 – introductory part4. The measures referred to in paragraph 3 shall enable the individuals to whom human oversight is assigned to do the following, as appropriate to the circumstances:

4. For the purpose of implementing paragraphs 1 to 3, the high-risk AI system shall be provided to the user in such a way that natural persons to whom human oversight is assigned are enabled, as appropriate and proportionate to the circumstances:
4. For the purpose of implementing paragraphs 1 to 3, the high-risk AI system shall be provided to the user in such a way that natural persons to whom human oversight is assigned are enabled, as appropriate and proportionate to the circumstances:4. In order to implement the measures referred to in paragraphs 1 to 3, the high-risk AI system should be provided to the user in such a way that enables the individuals to whom human oversight is assigned to perform their duties, as appropriate and proportionate to the circumstances.
Article 14 – paragraph 4 – point a(a) fully understand the capacities and limitations of the high-risk AI system and be able to duly monitor its operation, so that signs of anomalies, dysfunctions and unexpected performance can be detected and addressed as soon as possible;(a) be aware of and sufficiently understand the relevant capacities and limitations of the high-risk AI system and be able to duly monitor its operation, so that signs of anomalies, dysfunctions and unexpected performance can be detected and addressed as soon as possible;(a) to understand the capacities and limitations of the high-risk AI system and be able to duly monitor its operation;(a) Understand and be fully aware of the capacities and limitations of the high-risk AI system, and be able to duly monitor its operation, so that signs of anomalies, dysfunctions and unexpected performance can be detected and addressed as soon as possible.
Article 14 – paragraph 4 – point b(b)remain aware of the possible tendency of automatically relying or over-relying on the output produced by a high-risk AI system (‘automation bias’), in particular for high-risk AI systems used to provide information or recommendations for decisions to be taken by natural persons;(b) remain aware of the possible tendency of automatically relying or over-relying on the output produced by a high-risk AI system (‘automation bias’), in particular for high-risk AI systems used to provide information or recommendations for decisions to be taken by natural persons;(b) to remain aware of the possible tendency of automatically relying or over-relying on the output produced by a high-risk AI system (‘automation bias’); (b) remain aware of the possible tendency of automatically relying or over-relying on the output produced by a high-risk AI system (‘automation bias’), in particular for high-risk AI systems used to provide information or recommendations for decisions to be taken by natural persons;
Article 14 – paragraph 4 – point c(c) be able to correctly interpret the high-risk AI system’s output, taking into account in particular the characteristics of the system and the interpretation tools and methods available;(c) be able to correctly interpret the high-risk AI system’s output, taking into account in particular the characteristics of the system and the interpretation tools and methods available;(c) to correctly interpret the high-risk AI system’s output, taking into account for example the interpretation tools and methods available; (c) be able to correctly interpret the high-risk AI system’s output, taking into account in particular the characteristics of the system and the interpretation tools and methods available, for example;
Article 14 – paragraph 4 – point d(d) be able to decide, in any particular situation, not to use the high-risk AI system or otherwise disregard, override or reverse the output of the high-risk AI system;(d) be able to decide, in any particular situation, not to use the high-risk AI system or otherwise disregard, override or reverse the output of the high-risk AI system;(d) to decide, in any particular situation, not to use the high-risk AI system or otherwise disregard, override or reverse the output of the high-risk AI system;(d) have the ability to decide, in any particular situation, not to use the high-risk AI system or otherwise disregard, override or reverse the output of the high-risk AI system;
Article 14 – paragraph 4 – point e(e) be able to intervene on the operation of the high-risk AI system or interrupt the system through a “stop” button or a similar procedure.(e) be able to intervene on the operation of the high-risk AI system or interrupt, the system through a “stop” button or a similar procedure that allows the system to come to a halt in a safe state, except if the human interference increases the risks or would negatively impact the performance in consideration of generally acknowledged state-of-the-art.(e) to intervene on the operation of the high-risk AI system or interrupt the system through a “stop” button or a similar procedure.(e) be able to intervene on the operation of the high-risk AI system or interrupt the system through a “stop” button or a similar procedure that allows the system to come to a halt in a safe state, except if the human interference increases the risks or would negatively impact the performance in consideration of generally acknowledged state-of-the-art.
Article 14 – paragraph 55. For high-risk AI systems referred to in point 1(a) of Annex III, the measures referred to in paragraph 3 shall be such as to ensure that, in addition, no action or decision is taken by the user on the basis of the identification resulting from the system unless this has been verified and confirmed by at least two natural persons.5. For high-risk AI systems referred to in point1(a) of Annex III, the measures referred to in paragraph 3 shall be such as to ensure that, in addition, no action or decision is taken by the user on the basis of the identification resulting from the system unless this has been verified and confirmed by at least two natural persons with the necessary competence, training and authority.5. For high-risk AI systems referred to in point 1(a) of Annex III, the measures referred to in paragraph 3 shall be such as to ensure that, in addition, no action or decision is taken by the user on the basis of the identification resulting from the system unless this has been separately verified and confirmed by at least two natural persons. The requirement for a separate verification by at least two natural persons shall not apply to high risk AI systems used for the purpose of law enforcement, migration, border control or asylum, in cases where Union or national law considers the application of this requirement to be disproportionate.5. For high-risk AI systems referred to in point 1(a) of Annex III, the measures referred to in paragraph 3 shall be such as to ensure that, in addition, no action or decision is taken by the user on the basis of the identification resulting from the system unless this has been separately verified and confirmed by at least two natural persons with the necessary competence, training and authority. The requirement for a separate verification by at least two natural persons shall not apply to high risk AI systems used for the purpose of law enforcement, migration, border control or asylum, in cases where Union or national law considers the application of this requirement to be disproportionate.
Article 15
NumberingCommissionParliamentCouncilText proposed by the AI
Article 15Article 15
Accuracy, robustness and cybersecurity		Article 15
Accuracy, robustness and cybersecurity		Article 15
Accuracy, robustness and cybersecurity		Article 15
Accuracy, robustness and cybersecurity
Article 15 – paragraph 11. High-risk AI systems shall be designed and developed in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracy, robustness and cybersecurity, and perform consistently in those respects throughout their lifecycle.1. High-risk AI systems shall be designed and developed following the principle of security by design and by default. In the light of their intended purpose, they should achieve an appropriate level of accuracy, robustness, safety, and cybersecurity, and perform consistently in those respects throughout their lifecycle. Compliance with these requirements shall include implementation of state-of-the-art measures, according to the specific market segment or scope of application.1. High-risk AI systems shall be designed and developed in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracy, robustness and cybersecurity, and perform consistently in those respects throughout their lifecycle.High-risk AI systems shall be designed and developed following the principle of security by design and by default, in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracy, robustness, safety, and cybersecurity, and perform consistently in those respects throughout their lifecycle. Compliance with these requirements shall include implementation of state-of-the-art measures, according to the specific market segment or scope of application.
Article 15 – paragraph 1a (new)1a. To address the technical aspects of how to measure the appropriate levels of accuracy and robustness set out in paragraph 1 of this Article, the AI Office shall bring together national and international metrology and benchmarking authorities and provide non-binding guidance on the matter as set out in Article 56, paragraph 2, point (a).To address the technical aspects of measuring the appropriate levels of accuracy and robustness as outlined in paragraph 1 of this Article, the AI Office is tasked with convening national and international metrology and benchmarking authorities. The AI Office will provide non-binding guidance on this matter, as detailed in Article 56, paragraph 2, point (a).
Article 15 – paragraph 1b (new)1b. To address any emerging issues across the internal market with regard to cybersecurity, the European Union Agency for Cybersecurity (ENISA) shall be involved alongside the European Artificial Intelligence Board as set out Article 56, paragraph 2, point (b).To address any potential emerging issues within the internal market concerning cybersecurity, the European Union Agency for Cybersecurity (ENISA) shall be actively involved. This involvement will be in collaboration with the European Artificial Intelligence Board as stipulated in Article 56, paragraph 2, point (b).
Article 15 – paragraph 22. The levels of accuracy and the relevant accuracy metrics of high-risk AI systems shall be declared in the accompanying instructions of use.2. The levels of accuracy and the relevant accuracy metrics of high-risk AI systems shall be declared in the accompanying instructions of use. The language used shall be clear, free of misunderstandings or misleading statements.2. The levels of accuracy and the relevant accuracy metrics of high-risk AI systems shall be declared in the accompanying instructions of use.2. The levels of accuracy and the relevant accuracy metrics of high-risk AI systems shall be declared in the accompanying instructions of use. The language used shall be clear, free of misunderstandings or misleading statements.
Article 15 – paragraph 3 – subparagraph 13. High-risk AI systems shall be resilient as regards errors, faults or inconsistencies that may occur within the system or the environment in which the system operates, in particular due to their interaction with natural persons or other systems.3. Technical and organisational measures shall be taken to ensure that high-risk AI systems shall be as resilient as possible regarding errors, faults or inconsistencies that may occur within the system or the environment in which the system operates, in particular due to their interaction with natural persons or other systems.3. High-risk AI systems shall be resilient as regards errors, faults or inconsistencies that may occur within the system or the environment in which the system operates, in particular due to their interaction with natural persons or other systems.3. Measures shall be implemented to ensure that high-risk AI systems are resilient in regards to errors, faults or inconsistencies that may occur within the system or the environment in which the system operates, particularly due to their interaction with natural persons or other systems.
Article 15 – paragraph 3 – subparagraph 2The robustness of high-risk AI systems may be achieved through technical redundancy solutions, which may include backup or fail-safe plans.The robustness of high-risk AI systems may be achieved by the appropriate provider with input from the user, where necessary, through technical redundancy solutions, which may include backup or fail-safe plans.The robustness of high-risk AI systems may be achieved through technical redundancy solutions, which may include backup or fail-safe plans.The robustness of high-risk AI systems may be achieved by the appropriate provider with input from the user, where necessary, through technical redundancy solutions, which may include backup or fail-safe plans.
Article 15 – paragraph 3 – subparagraph 3High-risk AI systems that continue to learn after being placed on the market or put into service shall be developed in such a way to ensure that possibly biased outputs due to outputs used as an input for future operations (‘feedback loops’) are duly addressed with appropriate mitigation measures.High-risk AI systems that continue to learn after being placed on the market or put into service shall be developed in such a way to ensure that possibly biased outputs influencing input for future operations (‘feedback loops’) and malicious manipulation of inputs used in learning during operation are duly addressed with appropriate mitigation measures.High-risk AI systems that continue to learn after being placed on the market or put into service shall be developed in such a way to eliminate or reduce as far as possible the risk of possibly biased outputs influencing input for future operations (‘feedback loops’) are duly addressed with appropriate mitigation measures.High-risk AI systems that continue to learn after being placed on the market or put into service shall be developed in such a way to ensure that the risk of possibly biased outputs due to outputs used as an input for future operations (‘feedback loops’) and malicious manipulation of inputs used in learning during operation are duly addressed, eliminated or reduced as far as possible with appropriate mitigation measures.
Article 15 – paragraph 4 – subparagraph 1High-risk AI systems shall be resilient as regards attempts by unauthorised third parties to alter their use or performance by exploiting the system vulnerabilities.High-risk AI systems shall be resilient as regards to attempts by unauthorised third parties to alter their use, behaviour, outputs or performance by exploiting the system vulnerabilities.4. High-risk AI systems shall be resilient as regards attempts by unauthorised third parties to alter their use or performance by exploiting the system vulnerabilitiesHigh-risk AI systems shall be resilient as regards to attempts by unauthorised third parties to alter their use, behaviour, outputs or performance by exploiting the system vulnerabilities.
Article 15 – paragraph 4 – subparagraph 2The technical solutions aimed at ensuring the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks.The technical solutions aimed at ensuring the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks.The technical solutions aimed at ensuring the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks. The technical solutions aimed at ensuring the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks.
Article 15 – paragraph 4 – subparagraph 3The technical solutions to address AI specific vulnerabilities shall include, where appropriate, measures to prevent and control for attacks trying to manipulate the training dataset (‘data poisoning’), inputs designed to cause the model to make a mistake (‘adversarial examples’), or model flaws.The technical solutions to address AI specific vulnerabilities shall include, where appropriate, measures to prevent, detect, respond to, resolve and control for attacks trying to manipulate the training dataset (‘data poisoning’), or pre-trained components used in training (‘model poisoning’) , inputs designed to cause the model to make a mistake (‘adversarial examples’ or ‘model evasion’), confidentiality attacks or model flaws, which could lead to harmful decision-making.The technical solutions to address AI specific vulnerabilities shall include, where appropriate, measures to prevent and control for attacks trying to manipulate the training dataset (‘data poisoning’), inputs designed to cause the model to make a mistake (‘adversarial examples’), or model flaws.The technical solutions to address AI specific vulnerabilities shall include, where appropriate, measures to prevent, detect, respond to, resolve and control for attacks trying to manipulate the training dataset (‘data poisoning’), inputs designed to cause the model to make a mistake (‘adversarial examples’), pre-trained components used in training (‘model poisoning’), confidentiality attacks or model flaws, which could lead to harmful decision-making.

CHAPTER 3: Obligations of Providers and Users of High-Risk AI Systems and Other Parties

Article 16
NumberingCommissionParliamentCouncilText proposed by the AI
Article 16 Article 16
Obligations of providers of high-risk AI systems		Article 16
Obligations of providers and deployers of high-risk AI systems and other parties		Article 16
Obligations of providers of high-risk AI systems		Article 16
Obligations of providers and deployers of high-risk AI systems
Article 16 – paragraph 1 – introductory partProviders of high-risk AI systems shall:Providers of high-risk AI systems shall:Providers of high-risk AI systems shall:None
Article 16 – paragraph 1 – point a(a) ensure that their high-risk AI systems are compliant with the requirements set out in Chapter 2 of this Title;(a) ensure that their high-risk AI systems are compliant with the requirements set out in Chapter 2 of this Title before placing them on the market or putting them into service;(a) ensure that their high-risk AI systems are compliant with the requirements set out in Chapter 2 of this Title;(a) ensure that their high-risk AI systems are compliant with the requirements set out in Chapter 2 of this Title before placing them on the market or putting them into service;
Article 16 – paragraph 1 – point aa (new)(aa) indicate their name, registered trade name or registered trade mark, and their address and contact information on the high-risk AI system or, where that is not possible, on its accompanying documentation, as appropriate;(aa) indicate their name, registered trade name or registered trade mark, the address at which they can be contacted on the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, as applicable;(aa) indicate their name, registered trade name or registered trade mark, and their address and contact information at which they can be contacted on the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, as appropriate;
Article 16 – paragraph 1 – point ab (new)(ab) ensure that natural persons to whom human oversight of high-risk AI systems is assigned are specifically made aware of the risk of automation or confirmation bias;Ensure that natural persons, who are assigned human oversight of high-risk AI systems, are specifically informed about the risk of automation or confirmation bias.
Article 16 – paragraph 1 – point ac (new)(ac) provide specifications for the input data, or any other relevant information in terms of the datasets used, including their limitation and assumptions, taking into account the intended purpose and the foreseeable and reasonably foreseeable misuses of the AI system;Provide specifications for the input data, or any other relevant information in terms of the datasets used, including their limitations and assumptions, taking into account the intended purpose and the foreseeable and reasonably foreseeable misuses of the AI system.
Article 16 – paragraph 1 – point b(b) have a quality management system in place which complies with Article 17;(b) have a quality management system in place which complies with Article 17;(b) have a quality management system in place which complies with Article 17;(b) have a quality management system in place which complies with Article 17;
Article 16 – paragraph 1 – point c(c) draw-up the technical documentation of the high-risk AI system;(c) draw-up and keep the technical documentation of the high-risk AI system referred to in Article 11;(c) keep the documentation referred to in Article 18;(c) draw-up, keep and maintain the technical documentation of the high-risk AI system referred to in Article 11 and Article 18;
Article 16 – paragraph 1 – point d(d) when under their control, keep the logs automatically generated by their high-risk AI systems;(d) when under their control, keep the logs automatically generated by their high-risk AI systems that are required for ensuring and demonstrating compliance with this Regulation, in accordance with Article 20;(d) when under their control, keep the logs automatically generated by their high-risk AI systems as referred to in Article 20;(d) when under their control, keep the logs automatically generated by their high-risk AI systems, as required for ensuring and demonstrating compliance with this Regulation, in accordance with Article 20;
Article 16 – paragraph 1 – point e(e) ensure that the high-risk AI system undergoes the relevant conformity assessment procedure, prior to its placing on the market or putting into service;(e) ensure that the high-risk AI system undergoes the relevant conformity assessment procedure, prior to its placing on the market or putting into service, in accordance with Article 43;(e) ensure that the high-risk AI system undergoes the relevant conformity assessment procedure as referred to in Article 43, prior to its placing on the market or putting into service;(e) ensure that the high-risk AI system undergoes the relevant conformity assessment procedure, as referred to in Article 43, prior to its placing on the market or putting into service;
Article 16 – paragraph 1 – point ea (new)(ea) draw up an EU declaration of conformity in accordance with Article 48;Draw up an EU declaration of conformity in accordance with Article 48.
Article 16 – paragraph 1 – point eb (new)(eb) affix the CE marking to the high-risk AI system to indicate conformity with this Regulation, in accordance with Article 49;The high-risk AI system should be affixed with the CE marking to indicate conformity with this Regulation, as per the stipulations of Article 49.
Article 16 – paragraph 1 – point f(f) comply with the registration obligations referred to in Article 51;(f) comply with the registration obligations referred to in Article 51;(f) comply with the registration obligations referred to in Article 51(1);(f) comply with the registration obligations referred to in Article 51(1);
Article 16 – paragraph 1 – point g(g) take the necessary corrective actions, if the high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title;(g) take the necessary corrective actions as referred to in Article 21 and provide information in that regard;(g) take the necessary corrective actions as referred to in Article 21, if the high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title;(g) take the necessary corrective actions, as referred to in Article 21, if the high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title and provide information in that regard;
Article 16 – paragraph 1 – point h(h) inform the national competent authorities of the Member States in which they made the AI system available or put it into service and, where applicable, the notified body of the non-compliance and of any corrective actions taken;deleted(h) inform the relevant national competent authority of the Member States in which they made the AI system available or put it into service and, where applicable, the notified body of the non-compliance and of any corrective actions taken;(h) inform the relevant national competent authorities of the Member States in which they made the AI system available or put it into service and, where applicable, the notified body of the non-compliance and of any corrective actions taken;
Article 16 – paragraph 1 – point i(i) to affix the CE marking to their high-risk AI systems to indicate the conformity with this Regulation in accordance with Article 49;deleted(i) to affix the CE marking to their high-risk AI systems to indicate the conformity with this Regulation in accordance with Article 49;(i) to affix the CE marking to their high-risk AI systems to indicate the conformity with this Regulation in accordance with Article 49;
Article 16 – paragraph 1 – point j(j) upon request of a national competent authority, demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title.(j) upon a reasoned request of a national supervisory authority, demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title.(j) upon request of a national competent authority, demonstrate the conformity of the highrisk AI system with the requirements set out in Chapter 2 of this Title.(j) upon a reasoned request of a national competent authority or supervisory authority, demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title.
Article 16 – paragraph 1 – point ja (new)(ja) ensure that the high-risk AI system complies with accessibility requirements.Ensure that the high-risk AI system adheres to accessibility requirements.
Article 17
NumberingCommissionParliamentCouncilText proposed by the AI
Article 17Article 17
Quality management system		Article 17
Quality management system		Article 17
Quality management system		Article 17
Quality management system
Article 17 – paragraph 1 – introductory part1. Providers of high-risk AI systems shall put a quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects:1. Providers of high-risk AI systems shall have a quality management system in place that ensures compliance with this Regulation. It shall be documented in a systematic and orderly manner in the form of written policies, procedures or instructions, and can be incorporated into an existing quality management system under Union sectoral legislative acts. It shall include at least the following aspects:1. Providers of high-risk AI systems shall put a quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects:1. Providers of high-risk AI systems shall establish a quality management system in place that ensures compliance with this Regulation. This system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. It can be incorporated into an existing quality management system under Union sectoral legislative acts. The system shall include at least the following aspects:
Article 17 – paragraph 1 – point a(a) a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system;deleted(a) a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system;(a) a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system;
Article 17 – paragraph 1 – point b(b) techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system;(b) techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system;(b) techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system;(b) techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system;
Article 17 – paragraph 1 – point c(c) techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system;(c) techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system;(c) techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system; (c) techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system;
Article 17 – paragraph 1 – point d(d) examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out;(d) examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out;(d) examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out;(d) examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out;
Article 17 – paragraph 1 – point e(e) technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full, the means to be used to ensure that the high-risk AI system complies with the requirements set out in Chapter 2 of this Title;(e) technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full, or do not cover all of the relevant requirements, the means to be used to ensure that the high-risk AI system complies with the requirements set out in Chapter 2 of this Title;(e) technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full, the means to be used to ensure that the high-risk AI system complies with the requirements set out in Chapter 2 of this Title;(e) technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full, or do not cover all of the relevant requirements, the means to be used to ensure that the high-risk AI system complies with the requirements set out in Chapter 2 of this Title;
Article 17 – paragraph 1 – point f(f) systems and procedures for data management, including data collection, data analysis, data labelling, data storage, data filtration, data mining, data aggregation, data retention and any other operation regarding the data that is performed before and for the purposes of the placing on the market or putting into service of high-risk AI systems;(f) systems and procedures for data management, including data acquisition data collection, data analysis, data labelling, data storage, data filtration, data mining, data aggregation, data retention and any other operation regarding the data that is performed before and for the purposes of the placing on the market or putting into service of high-risk AI systems;(f) systems and procedures for data management, including data collection, data analysis, data labelling, data storage, data filtration, data mining, data aggregation, data retention and any other operation regarding the data that is performed before and for the purposes of the placing on the market or putting into service of high-risk AI systems;(f) systems and procedures for data management, including data acquisition, data collection, data analysis, data labelling, data storage, data filtration, data mining, data aggregation, data retention and any other operation regarding the data that is performed before and for the purposes of the placing on the market or putting into service of high-risk AI systems;
Article 17 – paragraph 1 – point g(g) the risk management system referred to in Article 9;(g) the risk management system referred to in Article 9;(g) the risk management system referred to in Article 9; (g) the risk management system referred to in Article 9;
Article 17 – paragraph 1 – point h(h) the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 61;(h) the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 61;(h) the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 61; (h) the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 61;
Article 17 – paragraph 1 – point i(i) procedures related to the reporting of serious incidents and of malfunctioning in accordance with Article 62;(i) procedures related to the reporting of serious incidents and of malfunctioning in accordance with Article 62;(i) procedures related to the reporting of a serious incident in accordance with Article 62;(i) procedures related to the reporting of serious incidents and of malfunctioning in accordance with Article 62;
Article 17 – paragraph 1 – point j(j) the handling of communication with national competent authorities, competent authorities, including sectoral ones, providing or supporting the access to data, notified bodies, other operators, customers or other interested parties;(j) the handling of communication with relevant competent authorities, including sectoral ones;(j) the handling of communication with national competent authorities, competent authorities, including sectoral ones, providing or supporting the access to data, notified bodies, other operators, customers or other interested parties;(j) the handling of communication with national competent authorities, relevant competent authorities, including sectoral ones, providing or supporting the access to data, notified bodies, other operators, customers or other interested parties;
Article 17 – paragraph 1 – point k(k) systems and procedures for record keeping of all relevant documentation and information;(k) systems and procedures for record keeping of all relevant documentation and information;(k) systems and procedures for record keeping of all relevant documentation and information;(k) systems and procedures for record keeping of all relevant documentation and information;
Article 17 – paragraph 1 – point l(l) resource management, including security of supply related measures;(l) resource management, including security of supply related measures;(l) resource management, including security of supply related measures;(l) resource management, including security of supply related measures;
Article 17 – paragraph 1 – point m(m) an accountability framework setting out the responsibilities of the management and other staff with regard to all aspects listed in this paragraph.(m) an accountability framework setting out the responsibilities of the management and other staff with regard to all aspects listed in this paragraph.(m) an accountability framework setting out the responsibilities of the management and other staff with regard to all aspects listed in this paragraph.(m) an accountability framework setting out the responsibilities of the management and other staff with regard to all aspects listed in this paragraph.
Article 17 – paragraph 22. The implementation of aspects referred to in paragraph 1 shall be proportionate to the size of the provider’s organisation.2. The implementation of aspects referred to in paragraph 1 shall be proportionate to the size of the provider’s organisation. Providers shall in any event respect the degree of rigour and the level of protection required to ensure compliance of their AI systems with this Regulation.2. The implementation of aspects referred to in paragraph 1 shall be proportionate to the size of the provider’s organisation.2. The implementation of aspects referred to in paragraph 1 shall be proportionate to the size of the provider’s organisation. Providers shall in any event respect the degree of rigour and the level of protection required to ensure compliance of their AI systems with this Regulation.
Article 17 – paragraph 2a (new)2a. For providers of high-risk AI systems that are subject to obligations regarding quality management systems under relevant sectorial Union law, the aspects described in paragraph 1 may be part of the quality management systems pursuant to that law.None
Article 17 – paragraph 33.For providers that are credit institutions regulated by Directive 2013/36/ EU, the obligation to put a quality management system in place shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive. In that context, any harmonised standards referred to in Article 40 of this Regulation shall be taken into account.3.For providers that are credit institutions regulated by Directive 2013/36/ EU, the obligation to put a quality management system in place shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive. In that context, any harmonised standards referred to in Article 40 of this Regulation shall be taken into account.3. For providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation, the obligation to put in place a quality management system with the exception of paragraph 1, points (g), (h) and (i) shall be deemed to be fulfilled by complying with the rules on internal governance arrangements or processes pursuant to the relevant Union financial services legislation. In that context, any harmonised standards referred to in Article 40 of this Regulation shall be taken into account.3. For providers that are credit institutions regulated by Directive 2013/36/ EU, or financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation, the obligation to put a quality management system in place, with the exception of paragraph 1, points (g), (h) and (i), shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive or the relevant Union financial services legislation. In that context, any harmonised standards referred to in Article 40 of this Regulation shall be taken into account.
Article 18
NumberingCommissionParliamentCouncilText proposed by the AI
Article 18Article 18
Obligation to draw up technical documentation

deletedArticle 18
Documentation keeping		Article 18
Obligation to keep technical documentation
Article 18 – paragraph 11. Providers of high-risk AI systems shall draw up the technical documentation referred to in Article 11 in accordance with Annex IV.

deleted1. The provider shall, for a period ending 10 years after the AI system has been placed on the market or put into service, keep at the disposal of the national competent authorities:
(a) the technical documentation referred to in Article 11;
(b) the documentation concerning the quality management system referred to in Article 17;
(c) the documentation concerning the changes approved by notified bodies where applicable;
(d) the decisions and other documents issued by the notified bodies where applicable;
(e) the EU declaration of conformity referred to in Article 48.		1. Providers of high-risk AI systems shall draw up and maintain the technical documentation referred to in Article 11 in accordance with Annex IV. This documentation shall be kept at the disposal of the national competent authorities for a period ending 10 years after the AI system has been placed on the market or put into service. In addition to the technical documentation, the provider shall also keep at their disposal:
(a) the documentation concerning the quality management system referred to in Article 17;
(b) the documentation concerning the changes approved by notified bodies where applicable;
(c) the decisions and other documents issued by the notified bodies where applicable;
(d) the EU declaration of conformity referred to in Article 48.
Article 18 – paragraph 1a (new)1a. Each Member State shall determine conditions under which the documentation referred to in paragraph 1 remains at the disposal of the national competent authorities for the period indicated in that paragraph for the cases when a provider or its authorised representative established on its territory goes bankrupt or ceases its activity prior to the end of that period.None
Article 18 – paragraph 22. Providers that are credit institutions regulated by Directive 2013/36/EU shall maintain the technical documentation as part of the documentation concerning internal governance, arrangements, processes and mechanisms pursuant to Article 74 of that Directive.

deleted2. Providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation shall maintain the technical documentation as part of the documentation kept under the relevant Union financial services legislation.
2. Providers that are financial institutions regulated by Directive 2013/36/EU or subject to requirements regarding their internal governance, arrangements, processes and mechanisms under Union financial services legislation shall maintain the technical documentation as part of the documentation concerning internal governance, arrangements, processes and mechanisms pursuant to Article 74 of that Directive or kept under the relevant Union financial services legislation.
Article 19
NumberingCommissionParliamentCouncilText proposed by the AI
Article 19Article 19
Conformity assessment

deleted

Article 19
Conformity assessment 		Article 19
Conformity assessment
Article 19 – paragraph 11. Providers of high-risk AI systems shall ensure that their systems undergo the relevant conformity assessment procedure in accordance with Article 43, prior to their placing on the market or putting into service. Where the compliance of the AI systems with the requirements set out in Chapter 2 of this Title has been demonstrated following that conformity assessment, the providers shall draw up an EU declaration of conformity in accordance with Article 48 and affix the CE marking of conformity in accordance with Article 49.

deleted1. Providers of high-risk AI systems shall ensure that their systems undergo the relevant conformity assessment procedure in accordance with Article 43, prior to their placing on the market or putting into service. Where the compliance of the AI systems with the requirements set out in Chapter 2 of this Title has been demonstrated following that conformity assessment, the providers shall draw up an EU declaration of conformity in accordance with Article 48 and affix the CE marking of conformity in accordance with Article 49. 1. Providers of high-risk AI systems shall ensure that their systems undergo the relevant conformity assessment procedure in accordance with Article 43, prior to their placing on the market or putting into service. Where the compliance of the AI systems with the requirements set out in Chapter 2 of this Title has been demonstrated following that conformity assessment, the providers shall draw up an EU declaration of conformity in accordance with Article 48 and affix the CE marking of conformity in accordance with Article 49.
Article 19 – paragraph 22. For high-risk AI systems referred to in point 5(b) of Annex III that are placed on the market or put into service by providers that are credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to101 of that Directive.

deleteddeletedNone
Article 20
NumberingCommissionParliamentCouncilText proposed by the AI
Article 20 Article 20
Automatically generated logs		Article 20
Automatically generated logs		Article 20
Automatically generated logs		Article 20
Automatically generated logs
Article 20 – paragraph 11. Providers of high-risk AI systems shall keep the logs automatically generated by their high-risk AI systems, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law. The logs shall be kept for a period that is appropriate in the light of the intended purpose of high-risk AI system and applicable legal obligations under Union or national law.

1. Providers of high-risk AI systems shall keep the logs automatically generated by their high-risk AI systems, to the extent such logs are under their control. Without prejudice to applicable Union or national law, the logs shall be kept for a period of at least 6 months. The retention period shall be in accordance with industry standards and appropriate to the intended purpose of high-risk AI system.

1. Providers of high-risk AI systems shall keep the logs, referred to in Article 12(1),
automatically generated by their high-risk AI systems, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law. They shall keep them for a period of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data.		Providers of high-risk AI systems shall keep the logs, referred to in Article 12(1), automatically generated by their high-risk AI systems, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law. The logs shall be kept for a period that is appropriate in light of the intended purpose of the high-risk AI system and in accordance with industry standards. Without prejudice to applicable Union or national law, the logs shall be kept for a period of at least 6 months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data.
Article 20 – paragraph 22. Providers that are credit institutions regulated by Directive 2013/36/EU shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation under Articles 74 of that Directive.
2. Providers that are credit institutions regulated by Directive 2013/36/EU shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation under Articles 74 of that Directive.
2. Providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation kept under the relevant financial service legislation.2. Providers that are credit institutions regulated by Directive 2013/36/EU and financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation under Articles 74 of that Directive and the relevant financial service legislation.
Article 21
NumberingCommissionParliamentCouncilText proposed by the AI
Article 21Article 21
Corrective actions		Article 21
Corrective actions		Article 21
Corrective actions		None
Article 21 – paragraph 1
Providers of high-risk AI systems which consider or have reason to consider that a high-risk AI system which they have placed on the market or put into service is not in conformity with this Regulation shall immediately take the necessary corrective actions to bring that system into conformity, to withdraw it or to recall it, as appropriate. They shall inform the distributors of the high-risk AI system in question and, where applicable, the authorised representative and importers accordingly.

1. Providers of high-risk AI systems which consider or have reason to consider that a high-risk AI system which they have placed on the market or put into service is not in conformity with this Regulation shall immediately take the necessary corrective actions to bring that system into conformity, to withdraw it, to disable it or to recall it, as appropriate.

In the cases referred to in the first paragraph, providers shall immediately inform:
a. the distributors;
b. the importers;
c. the national competent authorities of the Member States in which they made the AI system available or put it into service; and
d. where possible, the deployer.		Providers of high-risk AI systems which consider or have reason to consider that a high-risk AI system which they have placed on the market or put into service is not in conformity with this Regulation shall immediately investigate, where applicable, the causes in collaboration with the reporting user and take the necessary corrective actions to bring that system into conformity, to withdraw it or to recall it, as appropriate. They shall inform the distributors of the high-risk AI system in question and, where applicable, the authorised representative and importers accordingly.Providers of high-risk AI systems which consider or have reason to consider that a high-risk AI system which they have placed on the market or put into service is not in conformity with this Regulation shall immediately investigate, where applicable, the causes in collaboration with the reporting user and take the necessary corrective actions to bring that system into conformity, to withdraw it, to disable it or to recall it, as appropriate. In the cases referred to, providers shall immediately inform the distributors, the importers, the national competent authorities of the Member States in which they made the AI system available or put it into service, and where possible, the deployer and, where applicable, the authorised representative accordingly.
Article 21 – paragraph 1a (new)
(1a) The providers shall also inform the authorised representative, if one was appointed in accordance with Article 25, and the notified body if the high-risk AI system had to undergo a third-party conformity assessment in accordance with Article 43. Where applicable, they shall also investigate the causes in collaboration with the deployer.

The providers are required to inform the authorised representative, if one was appointed as per Article 25, and the notified body if the high-risk AI system had to undergo a third-party conformity assessment in line with Article 43. If applicable, they should also investigate the causes in collaboration with the deployer.
Article 22
NumberingCommissionParliamentCouncilText proposed by the AI
Article 22Article 22
Duty of information		Article 22
Duty of information		Article 22
Duty of information		Article 22
Duty of information
Article 22 – paragraph 1Where the high-risk AI system presents a risk within the meaning of Article 65(1) and that risk is known to the provider of the system, that provider shall immediately inform the national competent authorities of the Member States in which it made the system available and, where applicable, the notified body that issued a certificate for the high-risk AI system, in particular of the non-compliance and of any corrective actions taken.

1. Where the high-risk AI system presents a risk within the meaning of Article 65(1) and the provider of the system becomes aware of that risk, that provider shall immediately inform the national supervisory authorities of the Member States in which it made the system available and, where applicable, the notified body that issued a certificate for the high-risk AI system, in particular the nature of the non-compliance and of any relevant corrective actions taken.

Where the high-risk AI system presents a risk within the meaning of Article 65(1) and the provider of the system becomes aware of that risk, that provider shall immediately inform the national supervisory authorities of the Member States in which it made the system available and, where applicable, the notified body that issued a certificate for the high-risk AI system, in particular the nature of the non-compliance and of any relevant corrective actions taken.

Where the high-risk AI system presents a risk within the meaning of Article 65(1) and the provider of the system becomes aware of that risk, that provider shall immediately inform the national competent authorities or supervisory authorities of the Member States in which it made the system available and, where applicable, the notified body that issued a certificate for the high-risk AI system, in particular of the non-compliance and of any corrective actions taken.
Article 22 – paragraph 1a (new)
1a. In the cases referred to inthe first paragraph, providers of the high-risk AI system shall immediately inform:
a) the distributors;
b) the importers;
c) the national competent authorities of the Member States in which they made the AI system available or put it into service; and
d) where possible, the deployers. 		In the event of the scenarios outlined in the first paragraph, providers of the high-risk AI system are obligated to promptly notify:
a) the distributors;
b) the importers;
c) the national competent authorities of the Member States where the AI system has been made available or put into service; and
d) if feasible, the deployers.
Article 22 – paragraph 1b (new)1b. The providers shall also inform the authorised representative, if one was appointed in accordance with Article 25.The providers are required to inform the authorised representative, should one be appointed in line with Article 25.
Article 23
NumberingCommissionParliamentCouncilText proposed by the AI
Article 23 Article 23
Cooperation with competent authorities		Article 23
Cooperation with competent authorities, the Office and the Commission

Article 23
Cooperation with competent authorities		Article 23
Cooperation with competent authorities, the Office, and the Commission
Article 23 – paragraph 1Providers of high-risk AI systems shall, upon request by a national competent authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title, in an official Union language determined by the Member State concerned. Upon a reasoned request from a national competent authority, providers shall also give that authority access to the logs automatically generated by the high-risk AI system, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law.

1. Providers and where applicable, deployers of high-risk AI systems shall, upon a reasoned request by a national competent authority or where applicable, by the AI Office or the Commission, provide them with all the information and documentation necessary to demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title, in an official Union language determined by the Member State concerned.

Providers of high-risk AI systems shall, upon request by a national competent authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title, in a language which can be easily understood by the authority of the Member State concerned. Upon a reasoned request from a national competent authority, providers shall also give that authority access to the logs, referred to in Article 12(1), automatically generated by the high-risk AI system, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law.Providers and, where applicable, deployers of high-risk AI systems shall, upon a reasoned request by a national competent authority, the AI Office, or the Commission, provide them with all the information and documentation necessary to demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title, in an official Union language determined by the Member State concerned or in a language which can be easily understood by the authority of the Member State concerned. Upon a reasoned request from a national competent authority, providers shall also give that authority access to the logs, referred to in Article 12(1), automatically generated by the high-risk AI system, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law.
Article 23 – paragraph 1a (new)1a. Upon a reasoned request by a national competent authority or, where applicable, by the Commission, providers and, where applicable, deployers shall also give the requesting national competent authority or the Commission, as applicable, access to the logs automatically generated by the high-risk AI system, to the extent such logs are under their control.

Upon a reasoned request by a national competent authority or, if applicable, by the Commission, providers and, if applicable, deployers shall give the requesting national competent authority or the Commission, as applicable, access to the logs automatically generated by the high-risk AI system, provided such logs are under their control.
Article 23 – paragraph 1b (new)
1b. Any information obtained by a national competent authority or by the Commission pursuant to the provisions of this Article shall be considered a trade secret and be treated in compliance with the confidentiality obligations set out in Article 70.

All information obtained by a national competent authority or by the Commission in accordance with the provisions of this Article shall be deemed a trade secret and handled in accordance with the confidentiality obligations outlined in Article 70.
Article 23a (new)
Article 23a
Conditions for other persons to be subject to the obligations of a provider

1. Any natural or legal person shall be considered a provider of a new high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:
(a) they put their name or trademark on a high-risk AI system already placed on the market or put into service, without prejudice to contractual arrangements stipulating that the obligations are allocated otherwise;
(b) [deleted] (c) they make a substantial modification to a high-risk AI system already placed on the market or put into service;
(d) they modify the intended purpose of an AI system which is not high-risk and is already placed on the market or put ito service, in a way which makes the modified system a high-risk AI system;
(e) they place on the market or put into service a general purpose AI system as a high- risk AI system or as a component of a high-risk AI system.

2. Where the circumstances referred to in paragraph 1, point (a) or (c), occur, the provider that initially placed the high-risk AI system on the market or put it into service shall no longer be considered a provider for the purposes of this Regulation.

3. For high-risk AI systems that are safety components of products to which the legal acts listed in Annex II, section A apply, the manufacturer of those products shall be considered the provider of the high-risk AI system and shall be subject to the obligations under Article 16 under either of the following scenarios:
(i) the high-risk AI system is placed on the market together with the product under the name or trademark of the product manufacturer;
(ii) the high-risk AI system is put into service under the the name or trademark of the product manufacturer after the product has been placed on the market.		Article 23a
Conditions for other persons to be subject to the obligations of a provider

1. Any natural or legal person shall be considered a provider of a new high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:
(a) they put their name or trademark on a high-risk AI system already placed on the market or put into service, without prejudice to contractual arrangements stipulating that the obligations are allocated otherwise;
(b) they make a substantial modification to a high-risk AI system already placed on the market or put into service;
(c) they modify the intended purpose of an AI system which is not high-risk and is already placed on the market or put ito service, in a way which makes the modified system a high-risk AI system;
(d) they place on the market or put into service a general purpose AI system as a high- risk AI system or as a component of a high-risk AI system.

2. Where the circumstances referred to in paragraph 1, point (a) or (b), occur, the provider that initially placed the high-risk AI system on the market or put it into service shall no longer be considered a provider for the purposes of this Regulation.

3. For high-risk AI systems that are safety components of products to which the legal acts listed in Annex II, section A apply, the manufacturer of those products shall be considered the provider of the high-risk AI system and shall be subject to the obligations under Article 16 under either of the following scenarios:
(i) the high-risk AI system is placed on the market together with the product under the name or trademark of the product manufacturer;
(ii) the high-risk AI system is put into service under the the name or trademark of the product manufacturer after the product has been placed on the market.
Article 24
NumberingCommissionParliamentCouncilText proposed by the AI
Article 24Article 24
Obligations of product manufacturers		Article 24
Obligations of product manufacturers		deleted None
Article 24Where a high-risk AI system related to products to which the legal acts listed in Annex II, section A, apply, is placed on the market or put into service together with the product manufactured in accordance with those legal acts and under the name of the product manufacturer, the manufacturer of the product shall take the responsibility of the compliance of the AI system with this Regulation and, as far as the AI system is concerned, have the same obligations imposed by the present Regulation on the provider.Where a high-risk AI system related to products to which the legal acts listed in Annex II, section A, apply, is placed on the market or put into service together with the product manufactured in accordance with those legal acts and under the name of the product manufacturer, the manufacturer of the product shall take the responsibility of the compliance of the AI system with this Regulation and, as far as the AI system is concerned, have the same obligations imposed by the present Regulation on the provider.deleted Where a high-risk AI system related to products to which the legal acts listed in Annex II, section A, apply, is placed on the market or put into service together with the product manufactured in accordance with those legal acts and under the name of the product manufacturer, the manufacturer of the product shall take the responsibility of the compliance of the AI system with this Regulation and, as far as the AI system is concerned, have the same obligations imposed by the present Regulation on the provider.
Article 25
NumberingCommissionParliamentCouncilText proposed by the AI
Article 25Article 25
Authorised representatives		Article 25
Authorised representatives		Article 25
Authorised representatives		Article 25
Authorised representatives
Article 25 – paragraph 11. Prior to making their systems available on the Union market, where an importer cannot be identified, providers established outside the Union shall, by written mandate, appoint an authorised representative which is established in the Union.

1. Prior to making their systems available on the Union market, providers established outside the Union shall, by written mandate, appoint an authorised representative which is established in the Union.

1. Prior to making their systems available on the Union market providers established outside the Union shall, by written mandate, appoint an authorised representative which is established in the Union.1. Prior to making their systems available on the Union market, where an importer cannot be identified, providers established outside the Union shall, by written mandate, appoint an authorised representative which is established in the Union.
Article 25 – paragraph 1a (new)
1a. The authorised representative shall reside or be established in one of the Member States where the activities pursuant to Article 2, paragraphs 1(cb) are taking place.

The authorised representative is required to reside or be established in one of the Member States where the activities pursuant to Article 2, paragraphs 1(cb) are being conducted.
Article 25 – paragraph 1b (new)
1b. The provider shall provide its authorised representative with the necessary powers and resources to comply with its tasks under this Regulation.

The provider is obligated to equip its authorised representative with the necessary powers and resources to fulfill its tasks in accordance with this Regulation.
Article 25 – paragraph 2 – introductory part2. The authorised representative shall perform the tasks specified in the mandate received from the provider. The mandate shall empower the authorised representative to carry out the following tasks:

2. The authorised representative shall perform the tasks specified in the mandate received from the provider. It shall provide a copy of the mandate to the market surveillance authorities upon request, in one of the official languages of the institution of the Union determined by the national competent authority. For the purpose of this Regulation, the mandate shall empower the authorised representative to carry out the following tasks:

2. The authorised representative shall perform the tasks specified in the mandate received from the provider. For the purpose of this Regulation, the mandate shall empower the authorised representative to carry out only the following tasks:2. The authorised representative shall perform the tasks specified in the mandate received from the provider. The mandate shall empower the authorised representative to carry out only the following tasks. It shall provide a copy of the mandate to the market surveillance authorities upon request, in one of the official languages of the institution of the Union determined by the national competent authority. For the purpose of this Regulation, the mandate shall empower the authorised representative to carry out the following tasks:
Article 25 – paragraph 2 – point -a (new)
(-a) verify that the EU declaration of conformity and the technical documentation have been drawn up and that an appropriate conformity assessment procedure has
been carried out by the provider;		None
Article 25 – paragraph 2 – point a
(a) keep a copy of the EU declaration of conformity and the technical documentation at the disposal of the national competent authorities and national authorities referred to in Article 63(7);

(a) ensure that the EU declaration of conformity and the technical documentation have been drawn up and that an appropriate conformity assessment procedure has been carried out by the provider;

(a) keep at the disposal of the national competent authorities and national authorities referred to in Article 63(7), for a period ending 10 years after the high-risk AI system has been placed on the market or put into service, the contact details of the provider by which the authorised representative has been appointed, a copy of the EU declaration of conformity, the technical documentation and, if applicable, the certificate issued by the notified body;(a) Ensure that the EU declaration of conformity and the technical documentation have been drawn up and that an appropriate conformity assessment procedure has been carried out by the provider. Keep a copy of the EU declaration of conformity, the technical documentation, and, if applicable, the certificate issued by the notified body at the disposal of the national competent authorities and national authorities referred to in Article 63(7), for a period ending 10 years after the high-risk AI system has been placed on the market or put into service, along with the contact details of the provider by which the authorised representative has been appointed.
Article 25 – paragraph 2 – point aa (new)
(aa) keep at the disposal of the national competent authorities and national authorities referred to in Article 63(7), a copy of the EU declaration of conformity, the technical documentation and, if applicable, the certificate issued by the notified body;

The manufacturer shall maintain a copy of the EU declaration of conformity, the technical documentation and, if applicable, the certificate issued by the notified body, readily available for the national competent authorities and national authorities as specified in Article 63(7).
Article 25 – paragraph 2 – point b(b) provide a national competent authority, upon a reasoned request, with all the information and documentation necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title, including access to the logs automatically generated by the high-risk AI system to the extent such logs are under the control of the provider by virtue of a contractual arrangement with the user or otherwise by law;

(b) provide a national competent authority, upon a reasoned request, with all the information and documentation necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title, including access to the logs automatically generated by the high-risk AI system to the extent such logs are under the control of the provider;

(b) provide a national competent authority, upon a reasoned request, with all the information and documentation, including that kept according to point (b), necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title, including access to the logs, referred to in Article 12(1), automatically generated by the high-risk AI system to the extent such logs are under the control of the provider by virtue of a contractual arrangement with the user or otherwise by law;(b) provide a national competent authority, upon a reasoned request, with all the information and documentation, including that kept according to point (b), necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title, including access to the logs, referred to in Article 12(1), automatically generated by the high-risk AI system to the extent such logs are under the control of the provider by virtue of a contractual arrangement with the user or otherwise by law;
Article 25 – paragraph 2 – point c
(c) cooperate with competent national authorities, upon a reasoned request, on any action the latter takes in relation to the high-risk AI system.

(c) cooperate with national supervisory authorities, upon a reasoned request, on any action the authority takes to reduce and mitigate the risks posed by the high-risk AI system;(c) cooperate with national competent authorities, upon a reasoned request, on any action the latter takes in relation to the high-risk AI system.(c) cooperate with national competent supervisory authorities, upon a reasoned request, on any action the authority takes in relation to reducing and mitigating the risks posed by the high-risk AI system.
Article 25 – paragraph 2 – point ca [P] / point d [C] (new)
(ca) where applicable, comply with the registration obligations referred in Article 51, or, if the registration is carried out by the provider itself, ensure that the information referred to in point 3 of Annex VIII is correct.

(d) comply with the registration obligations referred to in Article 51(1) and, if the registration of the system is carried out by the provider itself, verify that the information referred to in Annex VIII, Part II, 1 to 11, is correct.Comply with the registration obligations referred to in Article 51 and, if applicable, Article 51(1). If the registration is carried out by the provider itself, ensure and verify that the information referred to in point 3 of Annex VIII and Part II, 1 to 11 of Annex VIII, is correct.
Article 25 – paragraph 2 – subparagraph 2 (new) The authorised representative shall terminate the mandate if it has sufficient reasons to consider that the provider acts contrary to its obligations under this Regulation. In such a case, it shall also immediately inform the market surveillance authority of the Member State in which it is established, as well as, where applicable, the relevant notified body, about the termination of the mandate and the reasons thereof.The authorised representative has the right to terminate the mandate if there are sufficient reasons to believe that the provider is not adhering to its obligations under this Regulation. In such instances, the representative must promptly notify the market surveillance authority of the Member State where it is established about the termination of the mandate and the reasons behind it. Additionally, if applicable, the relevant notified body should also be informed.
Article 25 – paragraph 2 – subparagraph 3 (new) The authorised representative shall be legally liable for defective AI systems on the same basis as, and jointly and severally with, the provider in respect of its potential liability under Council Directive 85/374/EEC.The authorised representative shall be legally liable for any defects in AI systems, sharing joint and several liability with the provider, in accordance with Council Directive 85/374/EEC.
Article 25 – paragraph 2a (new)2a. The authorised representative shall be mandated to be addressed, in addition to or instead of the provider, by, in particular, the national supervisory authority or the national competent authorities, on all issues related to ensuring compliance with this Regulation.

The authorised representative shall be mandated to be addressed, either in addition to or instead of the provider, by relevant entities such as the national supervisory authority or the national competent authorities, on all issues related to ensuring compliance with this Regulation.
Article 25 – paragraph 2b (new)
2b. The authorised representative shall terminate the mandate if it considers or has reason to consider that the provider acts contrary to its obligations under this Regulation. In such a case, it shall also immediately inform the national supervisory authority of the Member State in which it is established, as well as, where applicable, the relevant notified body, about the termination of the mandate and the reasons thereof.

The authorised representative has the responsibility to terminate the mandate if there is reason to believe that the provider is not adhering to its obligations under this Regulation. In such instances, the representative must promptly notify the national supervisory authority of the Member State where it is established. Additionally, if applicable, the relevant notified body should also be informed about the termination of the mandate and the reasons for such action.
Article 26
NumberingCommissionParliamentCouncilText proposed by the AI
Article 26 Article 26
Obligations of importers		Article 26
Obligations of importers		Article 26
Obligations of importers		Article 26
Obligations of importers
Article 26 – paragraph 1 – introductory part1. Before placing a high-risk AI system on the market, importers of such system shall ensure that:

1. Before placing a high-risk AI system on the market, importers of such system shall ensure that such a system is in conformity with this Regulation by ensuring that:

1. Before placing a high-risk AI system on the market, importers of such system shall ensure that such a system is in conformity with this Regulation by verifying that:1. Before placing a high-risk AI system on the market, importers of such system shall ensure that such a system is in conformity with this Regulation by ensuring and verifying that:
Article 26 – paragraph 1 – point a
(a) the appropriate conformity assessment procedure has been carried out by the provider of that AI system(a) the relevant conformity assessment procedure referred to in Article 43 has been carried out by the provider of that AI system

(a) the relevant conformity assessment procedure referred to in Article 43 has been
carried out by the provider of that AI system; 		(a) the appropriate conformity assessment procedure, as referred to in Article 43, has been carried out by the provider of that AI system;
Article 26 – paragraph 1 – point b(b) the provider has drawn up the technical documentation in accordance with Annex IV;

(b) the provider has drawn up the technical documentation in accordance with Article 11 and Annex IV;

(b) the provider has drawn up the technical documentation in accordance with Annex IV;(b) the provider has drawn up the technical documentation in accordance with Article 11 and Annex IV;
Article 26 – paragraph 1 – point c
(c) the system bears the required conformity marking and is accompanied by the required documentation and instructions of use.(c) the system bears the required conformity marking and is accompanied by the required documentation and instructions of use.(c) the system bears the required CE conformity marking and is accompanied by the EU declaration of conformity and instructions of use;(c) the system bears the required CE conformity marking and is accompanied by the required EU declaration of conformity, documentation and instructions of use.
Article 26 – paragraph 1 – point ca / d (new)
(ca) where applicable, the provider has appointed an authorised representative in accordance with Article 25(1).(d) the authorised representative referred to in Article 25 has been established by the provider.The provider, where applicable, has established and appointed an authorised representative in accordance with Article 25(1).
Article 26 – paragraph 22. Where an importer considers or has reason to consider that a high-risk AI system is not in conformity with this Regulation, it shall not place that system on the market until that AI system has been brought into conformity. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the importer shall inform the provider of the AI system and the market surveillance authorities to that effect.

2.Where an importer considers or has reason to consider that a high-risk AI system is not in conformity with this Regulation, or is counterfeit, or accompanied by falsified documentation it shall not place that system on the market until that AI system has been brought into conformity. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the importer shall inform the provider of the AI system and the market surveillance authorities to that effect.

2. Where an importer has sufficient reasons to consider that a high-risk AI system is not in conformity with this Regulation, or is falsified, or accompanied by falsified documentation, it shall not place that system on the market until that AI system has been brought into conformity. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the importer shall inform the provider of the AI system, the authorised representatives and the market surveillance authorities to that effect.2. Where an importer considers or has sufficient reason to consider that a high-risk AI system is not in conformity with this Regulation, or is counterfeit, or is falsified, or accompanied by falsified documentation, it shall not place that system on the market until that AI system has been brought into conformity. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the importer shall inform the provider of the AI system, the authorised representatives and the market surveillance authorities to that effect.
Article 26 – paragraph 33. Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, as applicable.

3. Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system and on its packaging or its accompanying documentation, where applicable.

3. Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, as applicable.3. Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system and, where that is not possible, on its packaging or its accompanying documentation, as applicable.
Article 26 – paragraph 44. Importers shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise its compliance with the requirements set out in Chapter 2 of this Title.
4. Importers shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise its compliance with the requirements set out in Chapter 2 of this Title.
4. Importers shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise its compliance with the requirements set out in Chapter 2 of this Title.4. Importers shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise its compliance with the requirements set out in Chapter 2 of this Title.
Article 26 – paragraph 4a (new)4a. Importers shall keep, for a period ending 10 years after the AI system has been placed on the market or put into service, a copy of the certificate issued by the notified body, where applicable, of the instructions for use and of the EU declaration of conformity.None
Article 26 – paragraph 5
5. Importers shall provide national competent authorities, upon a reasoned request, with all necessary information and documentation to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title in a language which can be easily understood by that national competent authority, including access to the logs automatically generated by the high-risk AI system to the extent such logs are under the control of the provider by virtue of a contractual arrangement with the user or otherwise by law. They shall also cooperate with those authorities on any action national competent authority takes in relation to that system.

5. Importers shall provide national competent authorities, upon a reasoned request, with all the necessary information and documentation to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title in a language which can be easily understood by them, including access to the logs automatically generated by the high-risk AI system to the extent such logs are under the control of the provider in accordance with Article 20.

5. Importers shall provide national competent authorities, upon a reasoned request, with all necessary information and documentation, including that kept in accordance with paragraph 5, to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title in a language which can be easily understood by that national competent authority. To this purpose they shall also ensure that the technical documentation can be made available to those authorities.5. Importers shall provide national competent authorities, upon a reasoned request, with all necessary information and documentation, including that kept in accordance with paragraph 5, to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title in a language which can be easily understood by that national competent authority. This includes access to the logs automatically generated by the high-risk AI system to the extent such logs are under the control of the provider by virtue of a contractual arrangement with the user or otherwise by law, or in accordance with Article 20. Importers shall also cooperate with those authorities on any action national competent authority takes in relation to that system and ensure that the technical documentation can be made available to those authorities.
Article 26 – paragraph 5a (new)5 a. Importers shall cooperate with national competent authorities on any action those authorities take to reduce and mitigate the risks posed by the high-risk AI system.5a. Importers shall cooperate with national competent authorities on any action those authorities take in relation to an AI system, of which they are the importer.5a. Importers shall cooperate with national competent authorities on any action those authorities take to reduce, mitigate the risks posed by, and relate to the high-risk AI system, of which they are the importer.
Article 27
NumberingCommissionParliamentCouncilText proposed by the AI
Article 27Article 27
Obligations of distributors		Article 27
Obligations of distributors		Article 27
Obligations of distributors		Article 27
Obligations of distributors
Article 27 – paragraph 11. Before making a high-risk AI system available on the market, distributors shall verify that the high-risk AI system bears the required CE conformity marking, that it is accompanied by the required documentation and instruction of use, and that the provider and the importer of the system, as applicable, have complied with the obligations set out in this Regulation.1. Before making a high-risk AI system available on the market, distributors shall verify that the high-risk AI system bears the required CE conformity marking, that it is accompanied by the required documentation and instruction of use, and that the provider and the importer of the system, as applicable, have complied with their obligations set out in this Regulation in Articles 16 and 26 respectively.

1. Before making a high-risk AI system available on the market, distributors shall verify that the high-risk AI system bears the required CE conformity marking, that it is accompanied by a copy of EU declaration of conformity and instruction of use, and that the provider and the importer of the system, as applicable, have complied with their obligations set out Article 16, point (b) and 26(3) respectively.1. Before making a high-risk AI system available on the market, distributors shall verify that the high-risk AI system bears the required CE conformity marking, that it is accompanied by the required documentation, a copy of EU declaration of conformity and instruction of use, and that the provider and the importer of the system, as applicable, have complied with their obligations set out in this Regulation in Articles 16, point (b) and 26(3) respectively.
Article 27 – paragraph 22. Where a distributor considers or has reason to consider that a high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title, it shall not make the high-risk AI system available on the market until that system has been brought into conformity with those requirements. Furthermore, where the system presents a risk within the meaning of Article 65(1), the distributor shall inform the provider or the importer of the system, as applicable, to that effect.

2. Where a distributor considers or has reason to consider, on the basis of the information in its possession that a high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title, it shall not make the high-risk AI system available on the market until that system has been brought into conformity with those requirements. Furthermore, where the system presents a risk within the meaning of Article 65(1), the distributor shall inform the provider or the importer of the system, the relevant national competent authority, as applicable, to that effect.2. Where a distributor considers or has reason to consider that a high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title, it shall not make the high-risk AI system available on the market until that system has been brought into conformity with those requirements. Furthermore, where the system presents a risk within the meaning of Article 65(1), the distributor shall inform the provider or the importer of the system, as applicable, to that effect.2. Where a distributor considers or has reason to consider, on the basis of the information in its possession that a high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title, it shall not make the high-risk AI system available on the market until that system has been brought into conformity with those requirements. Furthermore, where the system presents a risk within the meaning of Article 65(1), the distributor shall inform the provider or the importer of the system, as applicable, to that effect.
Article 27 – paragraph 33. Distributors shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise the compliance of the system with the requirements set out in Chapter 2 of this Title.
3. Distributors shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise the compliance of the system with the requirements set out in Chapter 2 of this Title.
3. Distributors shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise the compliance of the system with the requirements set out in Chapter 2 of this Title.3. Distributors shall ensure that, while a high-risk AI system is under their responsibility, where applicable, storage or transport conditions do not jeopardise the compliance of the system with the requirements set out in Chapter 2 of this Title.
Article 27 – paragraph 44. A distributor that considers or has reason to consider that a high-risk AI system which it has made available on the market is not in conformity with the requirements set out in Chapter 2 of this Title shall take the corrective actions necessary to bring that system into conformity with those requirements, to withdraw it or recall it or shall ensure that the provider, the importer or any relevant operator, as appropriate, takes those corrective actions. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the distributor shall immediately inform the national competent authorities of the Member States in which it has made the product available to that effect, giving details, in particular, of the non-compliance and of any corrective actions taken.

4. A distributor that considers or has reason to consider, on the basis of the information in its possession, that a high-risk AI system which it has made available on the market is not in conformity with the requirements set out in Chapter 2 of this Title shall take the corrective actions necessary to bring that system into conformity with those requirements, to withdraw it or recall it or shall ensure that the provider, the importer or any relevant operator, as appropriate, takes those corrective actions. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the distributor shall immediately inform the provider or importer of the system and the national competent authorities of the Member States in which it has made the product available to that effect, giving details, in particular, of the non-compliance and of any corrective actions taken.

4. A distributor that considers or has reason to consider that a high-risk AI system which it has made available on the market is not in conformity with the requirements set out in Chapter 2 of this Title shall take the corrective actions necessary to bring that system into conformity with those requirements, to withdraw it or recall it or shall ensure that the provider, the importer or any relevant operator, as appropriate, takes those corrective actions. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the distributor shall immediately inform the national competent authorities of the Member States in which it has made the product available to that effect, giving details, in particular, of the non-compliance and of any corrective actions taken.4. A distributor that considers or has reason to consider, on the basis of the information in its possession, that a high-risk AI system which it has made available on the market is not in conformity with the requirements set out in Chapter 2 of this Title shall take the corrective actions necessary to bring that system into conformity with those requirements, to withdraw it or recall it or shall ensure that the provider, the importer or any relevant operator, as appropriate, takes those corrective actions. Where the high-risk AI system presents a risk within the meaning of Article 65(1), the distributor shall immediately inform the provider or importer of the system and the national competent authorities of the Member States in which it has made the product available to that effect, giving details, in particular, of the non-compliance and of any corrective actions taken.
Article 27 – paragraph 55. Upon a reasoned request from a national competent authority, distributors of high-risk AI systems shall provide that authority with all the information and documentation necessary to demonstrate the conformity of a high-risk system with the requirements set out in Chapter 2 of this Title. Distributors shall also cooperate with that national competent authority on any action taken by that authority.5. Upon a reasoned request from a national competent authority, distributors of the high-risk AI system shall provide that authority with all the information and documentation in their possession or available to them, in accordance with the obligations of distributors as outlined in paragraph 1, that are necessary to demonstrate the conformity of a high-risk system with the requirements set out in Chapter 2 of this Title.

5. Upon a reasoned request from a national competent authority, distributors of high-risk AI systems shall provide that authority with all the information and documentation regarding its activities as described in paragraph 1 to 4.
5. Upon a reasoned request from a national competent authority, distributors of high-risk AI systems shall provide that authority with all the information and documentation in their possession or available to them, necessary to demonstrate the conformity of a high-risk system with the requirements set out in Chapter 2 of this Title. This includes information regarding its activities as described in paragraph 1 to 4. Distributors shall also cooperate with that national competent authority on any action taken by that authority.
Article 27 – paragraph 5a (new)5a. Distributors shall cooperate with national competent authorities on any action those authorities take to reduce and mitigate the risks posed by the high-risk AI system.

5a. Distributors shall cooperate with national competent authorities on any action those authorities take in relation to an AI system, of which they are the distributor.5a. Distributors shall cooperate with national competent authorities on any action those authorities take to reduce, mitigate the risks posed by, and relate to the high-risk AI system, of which they are the distributor.
Article 28
NumberingCommissionParliamentCouncilText proposed by the AI
Article 28 Article 28
Obligations of distributors, importers, users or any other third-party

Article 28
Responsibilities along the AI value chain of providers, distributors, importers, deployers or other third parties

deletedArticle 28
Responsibilities and Obligations of providers, distributors, importers, users, deployers or any other third-party involved in the AI value chain
Article 28 – paragraph 1 – introductory part
1. Any distributor, importer, user or other third-party shall be considered a provider for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:1. Any distributor, importer, deployer or other third-party shall be considered a provider of a high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:

deleted1. Any distributor, importer, user, deployer or other third-party shall be considered a provider or a provider of a high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:
Article 28 – paragraph 1 – point a
(a) they place on the market or put into service a high-risk AI system under their name or trademark;

(a) they put their name or trademarkt on a high-risk AI system already placed on the market or put into service;

deleted(a) they put their name or trademark on a high-risk AI system that is placed on the market or put into service;
Article 28 – paragraph 1 – point b
(b) they modify the intended purpose of a high-risk AI system already placed on the market or put into service;

(b) they make a substantial modification to a high-risk AI system that has already been placed on the market or has already been put into service and in a way that it remains a high-risk AI system in accordance with Article 6;

deleted(b) they make a substantial modification to the intended purpose of a high-risk AI system that has already been placed on the market or put into service, in a way that it remains a high-risk AI system in accordance with Article 6;
Article 28 – paragraph 1 – point ba (new)
(ba) they make a substantial modification to an AI system, including a general purpose AI system, which has not been classified as high-risk and has already been placed on the market or put into service in such manner that the AI system becomes a high risk AI system in accordance with Article 6

They undertake a significant alteration to an AI system, including a general purpose AI system, which has not been previously identified as high-risk and has already been introduced to the market or put into service, resulting in the AI system being reclassified as a high-risk AI system in accordance with Article 6.
Article 28 – paragraph 1 – point c(c) they make a substantial modification to the high-risk AI system.(c) they make a substantial modification to the high-risk AI system.deletedNone
Article 28 – paragraph 22. Where the circumstances referred to in paragraph 1, point (b) or (c), occur, the provider that initially placed the high-risk AI system on the market or put it into service shall no longer be considered a provider for the purposes of this Regulation.2. Where the circumstances referred to in paragraph 1, point (a) to (ba) occur, the provider that initially placed the AI system on the market or put it into service shall no longer be considered a provider of that specific AI system for the purposes of this Regulation. This former provider shall provide the new provider with the technical documentation and all other relevant and reasonably expected information capabilities of the AI system, technical access or other assistance based on the generally acknowledged state of the art that are required for the fulfilment of the obligations set out in this Regulation.
This paragraph shall also apply to providers of foundation models as defined in Article 3 when the foundation model is directly integrated in an high-risk AI system.

deleted2. Where the circumstances referred to in paragraph 1, point (a) to (c), occur, the provider that initially placed the high-risk AI system or any AI system on the market or put it into service shall no longer be considered a provider for the purposes of this Regulation. This former provider shall provide the new provider with the technical documentation and all other relevant and reasonably expected information capabilities of the AI system, technical access or other assistance based on the generally acknowledged state of the art that are required for the fulfilment of the obligations set out in this Regulation. This paragraph shall also apply to providers of foundation models as defined in Article 3 when the foundation model is directly integrated in a high-risk AI system.
Article 28 – paragraph 2a (new)2a. The provider of a high risk AI system and the third party that supplies tools, services, components or processes that are used or integrated in the high risk AI system shall, by written agreement specify the information, capabilities, technical access, and or other assistance, based on the generally acknowledged state of the art, that the third party is required to provide in order to enable the provider of the high risk AI system to fully comply with the obligations under this Regulation.

The Commission shall develop and recommend non-binding model contractual terms between providers of high-risk AI systems and third parties that supply tools, services, components or processes that are used or integrated in high-risk AI systems in order to assist both parties in drafting and negotiating contracts with balanced contractual rights and obligations, consistent with each party’s level of control. When developing non-binding model contractual terms, the Commission shall take into account possible contractual requirements applicable in specific sectors or business cases. The non-binding contractual terms shall be published and be available free of charge in an easily usable electronic format on the AI Office’s website.		The provider of a high risk AI system and the third party that supplies tools, services, components or processes that are used or integrated in the high risk AI system shall, by written agreement, specify the information, capabilities, technical access, and or other assistance, based on the generally acknowledged state of the art, that the third party is required to provide in order to enable the provider of the high risk AI system to fully comply with the obligations under this Regulation.

The Commission shall develop and recommend non-binding model contractual terms between providers of high-risk AI systems and third parties that supply tools, services, components or processes that are used or integrated in high-risk AI systems. This is to assist both parties in drafting and negotiating contracts with balanced contractual rights and obligations, consistent with each party’s level of control.

When developing non-binding model contractual terms, the Commission shall take into account possible contractual requirements applicable in specific sectors or business cases. The non-binding contractual terms shall be published and be available free of charge in an easily usable electronic format on the AI Office’s website.
Article 28 – paragraph 2b (new)
2b. For the purposes of this Article, trade secrets shall be preserved and shall only be disclosed provided that all specific necessary measures pursuant to Directive (EU) 2016/943 are taken in advance to preserve their confidentiality, in particular with respect to third parties. Where necessary, appropriate technical and organizational arrangements can be agreed to protect intellectual property rights or trade secrets.

For the purposes of this Article, trade secrets shall be preserved and only disclosed provided that all specific necessary measures pursuant to Directive (EU) 2016/943 are taken in advance to preserve their confidentiality, particularly with respect to third parties. If necessary, suitable technical and organizational arrangements can be agreed upon to protect intellectual property rights or trade secrets.
Article 28a (new)Article 28 a
Unfair contractual terms unilaterally imposed on an SME or startup

1. A contractual term concerning the supply of tools, services, components or processes that are used or integrated in a high risk AI system or the remedies for the breach or the termination of related obligations which has been unilaterally imposed by an enterprise on a SME or startup shall not be binding on the latter enterprise if it is unfair.

2. A contractual term is not to be considered unfair where it arises from applicable Union law.

3. A contractual term is unfair if it is of such a nature that it objectively impairs the ability of the party upon whom the term has been unilaterally imposed to protect its legitimate commercial interest in the information in question or its use grossly deviates from good commercial practice in the supply of tools, services, components or processes that are used or integrated in a high-risk AI system, contrary to good faith and fair dealing or creates a significant imbalance between the rights and the obligations of the parties in the contract. A contractual term is also unfair if it has the effect of shifting penalties referred to in Article 71 or associated litigation costs across parties to the contract, as referred to in Article 71(8).

4. A contractual term is unfair for the purposes of this Article if its object or effect is to:
(a) exclude or limit the liability of the party that unilaterally imposed the term for intentional acts or gross negligence;
(b) exclude the remedies available to the party upon whom the term has been unilaterally imposed in the case of non-performance of contractual obligations or the liability of the party that unilaterally imposed the term in the case of a breach of those obligations;
(c) give the party that unilaterally imposed the term the exclusive right to determine whether the technical documentation, information supplied are in conformity with the contract or to interpret any term of the contract.

5. A contractual term shall be considered to be unilaterally imposed within the meaning of this Article if it has been supplied by one contracting party and the other contracting party has not been able to influence its content despite an attempt to negotiate it. The contracting party that supplied a contractual term shall bears the burden of proving that that term has not been unilaterally imposed.

6. Where the unfair contractual term is severable from the remaining terms of the contract, those remaining terms shall remain binding. The party that supplied the contested term shall not argue that the term is an unfair term.

7. This Article shall apply to all new contracts entered into force after … [date of entry into force of this Regulation]. Businesses shall review existing contractual obligations that are subject to this Regulation by …[three years after the date of entry into force of this Regulation].

8. Given the rapidity in which innovations occur in the markets, the list of unfair contractual terms within Article 28a shall be reviewed regularly by the Commission and be updated to new business practices if necessary.		Article 28 a
Unfair contractual terms unilaterally imposed on an SME or startup

1. A contractual term concerning the supply of tools, services, components or processes that are used or integrated in a high risk AI system or the remedies for the breach or the termination of related obligations which has been unilaterally imposed by an enterprise on a SME or startup shall not be binding on the latter enterprise if it is unfair.

2. A contractual term is not to be considered unfair where it arises from applicable Union law.

3. A contractual term is unfair if it is of such a nature that it objectively impairs the ability of the party upon whom the term has been unilaterally imposed to protect its legitimate commercial interest in the information in question or its use grossly deviates from good commercial practice in the supply of tools, services, components or processes that are used or integrated in a high-risk AI system, contrary to good faith and fair dealing or creates a significant imbalance between the rights and the obligations of the parties in the contract. A contractual term is also unfair if it has the effect of shifting penalties referred to in Article 71 or associated litigation costs across parties to the contract, as referred to in Article 71(8).

4. A contractual term is unfair for the purposes of this Article if its object or effect is to:
(a) exclude or limit the liability of the party that unilaterally imposed the term for intentional acts or gross negligence;
(b) exclude the remedies available to the party upon whom the term has been unilaterally imposed in the case of non-performance of contractual obligations or the liability of the party that unilaterally imposed the term in the case of a breach of those obligations;
(c) give the party that unilaterally imposed the term the exclusive right to determine whether the technical documentation, information supplied are in conformity with the contract or to interpret any term of the contract.

5. A contractual term shall be considered to be unilaterally imposed within the meaning of this Article if it has been supplied by one contracting party and the other contracting party has not been able to influence its content despite an attempt to negotiate it. The contracting party that supplied a contractual term shall bears the burden of proving that that term has not been unilaterally imposed.

6. Where the unfair contractual term is severable from the remaining terms of the contract, those remaining terms shall remain binding. The party that supplied the contested term shall not argue that the term is an unfair term.

7. This Article shall apply to all new contracts entered into force after … [date of entry into force of this Regulation]. Businesses shall review existing contractual obligations that are subject to this Regulation by …[three years after the date of entry into force of this Regulation].

8. Given the rapidity in which innovations occur in the markets, the list of unfair contractual terms within Article 28a shall be reviewed regularly by the Commission and be updated to new business practices if necessary.
Article 28b (new)Article 28b
Obligations of the provider of a foundation model

1. A provider of a foundation model shall, prior to making it available on the market or putting it into service, ensure that it is compliant with the requirements set out in this Article, regardless of whether it is provided as a standalone model or embedded in an AI system or a product, or provided under free and open source licences, as a service, as well as other distribution channels.

2. For the purpose of paragraph 1, the provider of a foundation model shall:
(a) demonstrate through appropriate design, testing and analysis the identification, the reduction and mitigation of reasonably foreseeable risks to health, safety, fundamental rights, the environment and democracy and the rule of law prior and throughout development with appropriate methods such as with the involvement of independent experts, as well as the documentation of remaining non-mitigable risks after development
(b) process and incorporate only datasets that are subject to appropriate data governance measures for foundation models, in particular measures to examine the suitability of the data sources and possible biases and appropriate mitigation
(c) design and develop the foundation model in order to achieve throughout its lifecycle appropriate levels of performance, predictability, interpretability, corrigibility, safety and cybersecurity assessed through appropriate methods such as model evaluation with the involvement of independent experts, documented analysis, and extensive testing during conceptualisation, design, and development;
(d) design and develop the foundation model, making use of applicable standards to reduce energy use, resource use and waste, as well as to increase energy efficiency, and the overall efficiency of the system, whithout prejudice to relevant existing Union and national law. This obligation shall not apply before the standards referred to in Article 40 are published. Foundation models shall be designed with capabilities enabling the measurement and logging of the consumption of energy and resources, and, where technically feasible, other environmental impact the deployment and use of the systems may have over their entire lifecycle;
(e) draw up extensive technical documentation and intelligible instructions for use, in order to enable the downstream providers to comply with their obligations pursuant to Articles 16 and 28(1);.
(f) establish a quality management system to ensure and document compliance with this Article, with the possibility to experiment in fulfilling this requirement,
(g) register that foundation model in the EU database referred to in Article 60, in accordance with the instructions outlined in Annex VIII point C.

When fulfilling those requirements, the generally acknowledged state of the art shall be taken into account, including as reflected in relevant harmonised standards or common specifications, as well as the latest assessment and measurement methods, reflected in particular in benchmarking guidance and capabilities referred to in Article 58a;

3. Providers of foundation models shall, for a period ending 10 years after their foundation models have been placed on the market or put into service, keep the technical documentation referred to in paragraph 2(e) at the disposal of the national competent authorities

4. Providers of foundation models used in AI systems specifically intended to generate, with varying levels of autonomy, content such as complex text, images, audio, or video (“generative AI”) and providers who specialise a foundation model into a generative AI system, shall in addition
a) comply with the transparency obligations outlined in Article 52 (1),
b) train, and where applicable, design and develop the foundation model in such a way as to ensure adequate safeguards against the generation of content in breach of Union law in line with the generally-acknowledged state of the art, and without prejudice to fundamental rights, including the freedom of expression,
c) without prejudice to Union or national or Union legislation on copyright, document and make publicly available a sufficiently detailed summary of the use of training data protected under copyright law. 		Article 28b
Obligations of the provider of a foundation model

1. A provider of a foundation model shall, prior to making it available on the market or putting it into service, ensure that it is compliant with the requirements set out in this Article, regardless of whether it is provided as a standalone model or embedded in an AI system or a product, or provided under free and open source licences, as a service, as well as other distribution channels.

2. For the purpose of paragraph 1, the provider of a foundation model shall:
(a) demonstrate through appropriate design, testing and analysis the identification, the reduction and mitigation of reasonably foreseeable risks to health, safety, fundamental rights, the environment and democracy and the rule of law prior and throughout development with appropriate methods such as with the involvement of independent experts, as well as the documentation of remaining non-mitigable risks after development
(b) process and incorporate only datasets that are subject to appropriate data governance measures for foundation models, in particular measures to examine the suitability of the data sources and possible biases and appropriate mitigation
(c) design and develop the foundation model in order to achieve throughout its lifecycle appropriate levels of performance, predictability, interpretability, corrigibility, safety and cybersecurity assessed through appropriate methods such as model evaluation with the involvement of independent experts, documented analysis, and extensive testing during conceptualisation, design, and development;
(d) design and develop the foundation model, making use of applicable standards to reduce energy use, resource use and waste, as well as to increase energy efficiency, and the overall efficiency of the system, whithout prejudice to relevant existing Union and national law. This obligation shall not apply before the standards referred to in Article 40 are published. Foundation models shall be designed with capabilities enabling the measurement and logging of the consumption of energy and resources, and, where technically feasible, other environmental impact the deployment and use of the systems may have over their entire lifecycle;
(e) draw up extensive technical documentation and intelligible instructions for use, in order to enable the downstream providers to comply with their obligations pursuant to Articles 16 and 28(1);.
(f) establish a quality management system to ensure and document compliance with this Article, with the possibility to experiment in fulfilling this requirement,
(g) register that foundation model in the EU database referred to in Article 60, in accordance with the instructions outlined in Annex VIII point C.

When fulfilling those requirements, the generally acknowledged state of the art shall be taken into account, including as reflected in relevant harmonised standards or common specifications, as well as the latest assessment and measurement methods, reflected in particular in benchmarking guidance and capabilities referred to in Article 58a;

3. Providers of foundation models shall, for a period ending 10 years after their foundation models have been placed on the market or put into service, keep the technical documentation referred to in paragraph 2(e) at the disposal of the national competent authorities

4. Providers of foundation models used in AI systems specifically intended to generate, with varying levels of autonomy, content such as complex text, images, audio, or video (“generative AI”) and providers who specialise a foundation model into a generative AI system, shall in addition
a) comply with the transparency obligations outlined in Article 52 (1),
b) train, and where applicable, design and develop the foundation model in such a way as to ensure adequate safeguards against the generation of content in breach of Union law in line with the generally-acknowledged state of the art, and without prejudice to fundamental rights, including the freedom of expression,
c) without prejudice to Union or national or Union legislation on copyright, document and make publicly available a sufficiently detailed summary of the use of training data protected under copyright law.
Article 29
NumberingCommissionParliamentCouncilText proposed by the AI
Article 29
Article 29
Obligations of users of high-risk AI systems		Article 29
Obligations of users of high-risk AI systems		Article 29
Obligations of users of high-risk AI systems		Article 29
Obligations of users of high-risk AI systems
Article 29 – paragraph 1
1. Users of high-risk AI systems shall use such systems in accordance with the instructions of use accompanying the systems, pursuant to paragraphs 2 and 5.1. Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions of use accompanying the systems, pursuant to paragraphs 2 and 5 of this Article.

1. Users of high-risk AI systems shall use such systems in accordance with the instructions of use accompanying the systems, pursuant to paragraphs 2 and 5 of this Article.1. Users and deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions of use accompanying the systems, pursuant to paragraphs 2 and 5 of this Article.
Article 29 – paragraph 1a (new)1a. To the extent deployers exercise control over the high-risk AI system, they shall
i) implement human oversight according to the requirements laid down in this Regulation
(ii) ensure that the natural persons assigned to ensure human oversight of the high-risk AI systems are competent, properly qualified and trained, and have the necessary resources in order to ensure the effective supervision of the AI system in accordance with Article 14
(iii) ensure that relevant and appropriate robustness and cybersecurity measures are regularly monitored for effectiveness and are regularly adjusted or updated.		1a. Users shall assign human oversight to natural persons who have the necessary competence, training and authority.1a. Deployers and users of high-risk AI systems shall implement human oversight in accordance with the requirements of this Regulation. They shall assign this responsibility to competent and properly qualified natural persons who have undergone appropriate training and have the necessary resources and authority. These individuals will ensure the effective supervision of the AI system in line with Article 14. Additionally, relevant and robust cybersecurity measures should be regularly monitored for effectiveness and updated as necessary.
Article 29 – paragraph 22.  The obligations in paragraph 1 are without prejudice to other user obligations under Union or national law and to the user’s discretion in organising its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider.2.  The obligations in paragraph 1 and 1a, are without prejudice to other deployer obligations under Union or national law and to the deployer’s discretion in organising its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider.2. The obligations in paragraph 1 and 1a are without prejudice to other user obligations under Union or national law and to the user’s discretion in organising its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider.2. The obligations in paragraph 1 and 1a are without prejudice to other user or deployer obligations under Union or national law and to the user or deployer’s discretion in organising its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider.
Article 29 – paragraph 33.  Without prejudice to paragraph 1, to the extent the user exercises control over the input data, that user shall ensure that input data is relevant in view of the intended purpose of the high-risk AI system.3.  Without prejudice to paragraph 1 and 1a, to the extent the deployer exercises control over the input data, that deployershall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system.3. Without prejudice to paragraph 1, to the extent the user exercises control over the input data, that user shall ensure that input data is relevant in view of the intended purpose of the high-risk AI system.3. Without prejudice to paragraph 1 and 1a, to the extent the user/deployer exercises control over the input data, that user/deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system.
Article 29 – paragraph 4 – introductory part4.  Users shall monitor the operation of the high-risk AI system on the basis of the instructions of use. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1) they shall inform the provider or distributor and suspend the use of the system. They shall also inform the provider or distributor when they have identified any serious incident or any malfunctioning within the meaning of Article 62 and interrupt the use of the AI system. In case the user is not able to reach the provider, Article 62 shall apply mutatis mutandis.4.  Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions of use and when relevant, inform providers in accordance with Article 61. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1) they shall, without undue delay, inform the provider or distributor and relevant national supervisory authorities and suspend the use of the system. They shall also immediately inform first the provider, and then the importer or distributor and relevant national supervisory authorities when they have identified any serious incident or any malfunctioning within the meaning of Article 62 and interrupt the use of the AI system. If the deployer is not able to reach the provider, Article 62 shall apply mutatis mutandis.4. Users shall implement human oversight and monitor the operation of the high-risk AI system on the basis of the instructions of use. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1) they shall inform the provider or distributor and suspend the use of the system. They shall also inform the provider or distributor when they have identified any serious incident and interrupt the use of the AI system. In case the user is not able to reach the provider, Article 62 shall apply mutatis mutandis. This obligation shall not cover sensitive operational data of users of AI systems which are law enforcement authorities.4. Users, also referred to as deployers, shall implement human oversight and monitor the operation of the high-risk AI system on the basis of the instructions of use. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1), they shall, without undue delay, inform the provider or distributor and relevant national supervisory authorities and suspend the use of the system. They shall also immediately inform first the provider, and then the importer or distributor and relevant national supervisory authorities when they have identified any serious incident or any malfunctioning within the meaning of Article 62 and interrupt the use of the AI system. If the user is not able to reach the provider, Article 62 shall apply mutatis mutandis. This obligation shall not cover sensitive operational data of users of AI systems which are law enforcement authorities.
Article 29 – paragraph 4 – subparagraph 1For users that are credit institutions regulated by Directive 2013/36/EU, the monitoring obligation set out in the first subparagraph shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive.For deployers that are credit institutions regulated by Directive 2013/36/EU, the monitoring obligation set out in the first subparagraph shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive.For users that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation, the monitoring obligation set out in the first subparagraph shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to the relevant financial service legislation.For entities that are credit or financial institutions regulated by Directive 2013/36/EU or subject to requirements regarding their internal governance under Union financial services legislation, the monitoring obligation set out in the first subparagraph shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive or the relevant financial service legislation.
Article 29 – paragraph 5 – introductory part5.  Users of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system, to the extent such logs are under their control. The logs shall be kept for a period that is appropriate in the light of the intended purpose of the high-risk AI system and applicable legal obligations under Union or national law.5.  Deployers of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system, to the extent that such logs are under their control and are required for ensuring and demonstrating compliance with this Regulation, for ex-post audits of any reasonably foreseeable malfunction, incidents or misuses of the system, or for ensuring and monitoring for the proper functioning of the system throughout its lifecycleWithout prejudice to applicable Union or national law, the logs shall be kept for a period of at least six months. The retention period shall be in accordance with industry standards and appropriate to the intended purpose of the high-risk AI system.5. Users of high-risk AI systems shall keep the logs, referred to in Article 12(1), automatically generated by that high-risk AI system, to the extent such logs are under their control. They shall keep them for a period of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data.5. Deployers and users of high-risk AI systems shall keep the logs, referred to in Article 12(1), automatically generated by that high-risk AI system, to the extent such logs are under their control and are required for ensuring and demonstrating compliance with this Regulation, for ex-post audits of any reasonably foreseeable malfunction, incidents or misuses of the system, or for ensuring and monitoring for the proper functioning of the system throughout its lifecycle. The logs shall be kept for a period that is appropriate in the light of the intended purpose of the high-risk AI system and applicable legal obligations under Union or national law. Without prejudice to applicable Union or national law, in particular in Union law on the protection of personal data, the logs shall be kept for a period of at least six months. The retention period shall be in accordance with industry standards.
Article 29 – paragraph 5 – subparagraph 1Users that are credit institutions regulated by Directive 2013/36/EU shall maintain the logs as part of the documentation concerning internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive.Deployers that are credit institutions regulated by Directive 2013/36/EU shall maintain the logs as part of the documentation concerning internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive.Users that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation shall maintain the logs as part of the documentation kept pursuant to the relevant Union financial service legislation.Institutions that are credit or financial institutions regulated by Directive 2013/36/EU or subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation shall maintain the logs as part of the documentation concerning internal governance arrangements, processes and mechanisms pursuant to Article 74 of that Directive or the relevant Union financial service legislation.
Article 29 – paragraph 5a (new) [P]5a. Prior to putting into service or use a high-risk AI system at the workplace, deployers shall consult workers representatives with a view to reaching an agreement in accordance with Directive 2002/14/EC and inform the affected employees that they will be subject to the system.Before the implementation or utilization of a high-risk AI system in the workplace, deployers are required to consult with worker representatives with the aim of reaching an agreement in line with Directive 2002/14/EC. Additionally, they must inform the employees who will be affected by the system.
Article 29 – paragraph 5b [P] / paragraph 5a [C] (new)5b. Deployers of high-risk AI systems that are public authorities or Union institutions, bodies, offices and agencies or undertakings referred to in Article 51(1a)(b) shall comply with the registration obligations referred to in Article 51.5a. Users of high-risk AI systems that are public authorities, agencies or bodies, with the exception of law enforcement, border control, immigration or asylum authorities, shall comply with the registration obligations referred to in Article 51. When they find that the system that they envisage to use has not been registered in the EU database referred to in Article 60 they shall not use that system and shall inform the provider or the distributor.5b. Users and deployers of high-risk AI systems that are public authorities, Union institutions, bodies, offices, agencies or undertakings referred to in Article 51(1a)(b), with the exception of law enforcement, border control, immigration or asylum authorities, shall comply with the registration obligations referred to in Article 51. If they find that the system they envisage to use has not been registered in the EU database referred to in Article 60, they shall not use that system and shall inform the provider or the distributor.
Article 29 – paragraph 66.  Users of high-risk AI systems shall use the information provided under Article 13 to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, where applicable.6.  Where applicable, deployers of high-risk AI systems shall use the information provided under Article 13 to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, a summary of which shall be published, having regard to the specific use and the specific context in which the AI system is intended to operateDeployers may revert in part to those data protection impact assessments for fulfilling some of the obligations set out in this article, insofar as the data protection impact assesment fulfill those obligations.6. Users of high-risk AI systems shall use the information provided under Article 13 to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, where applicable.6. Where applicable, users and deployers of high-risk AI systems shall use the information provided under Article 13 to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680. A summary of this assessment shall be published, considering the specific use and context in which the AI system is intended to operate. Deployers may partially rely on these data protection impact assessments to fulfill some of the obligations set out in this article, provided that the data protection impact assessments fulfill those obligations.
Article 29 – paragraph 6a (new)6a. Without prejudice to Article 52, deployers of high-risk AI systems referred to in Annex III, which make decisions or assist in making decisions related to natural persons, shall inform the natural persons that they are subject to the use of the high-risk AI system. This information shall include the intended purpose and the type of decisions it makes. The deployer shall also inform the natural person about its right to an explanation referred to in Article 68c.Deployers of high-risk AI systems, as outlined in Annex III, which are involved in making decisions or assisting in decisions related to natural persons, are required to inform these individuals that they are subject to the use of the high-risk AI system. This information should include the intended purpose of the AI system and the type of decisions it makes. Furthermore, the deployer must inform the natural person about their right to an explanation as stated in Article 68c. This provision is applicable without prejudice to Article 52.
Article 29 – paragraph 6b [P] / paragraph 6a [C] (new)6b. Deployers shall cooperate with the relevant national competent authorities on any action those authorities take in relation with the high-risk system in order to implement this Regulation.6a. Users shall cooperate with national competent authorities on any action those authorities take in relation to an AI system, of which they are the user.6b. Users and deployers shall cooperate with the relevant national competent authorities on any action those authorities take in relation to a high-risk AI system, of which they are the user or deployer, in order to implement this Regulation.
Article 29a (new)Article 29 a
Fundamental rights impact assessment for high-risk AI systems

Prior to putting a high-risk AI system as defined in Article 6(2) into use, with the exception of AI systems intended to be used in area 2 of Annex III, deployers shall conduct an assessment of the systems’ impact in the specific context of use. This assessment shall include, at a minimum, the following elements:
(a) a clear outline of the intended purpose for which the system will be used;
(b) a clear outline of the intended geographic and temporal scope of the system’s use;
(c) categories of natural persons and groups likely to be affected by the use of the system;
(d) verification that the use of the system is compliant with relevant Union and national law on fundamental rights;
(e) the reasonably foreseeable impact on fundamental rights of putting the high-risk AI system into use;
(f) specific risks of harm likely to impact marginalised persons or vulnerable groups;
(g) the reasonably foreseeable adverse impact of the use of the system on the environment;
(h) a detailed plan as to how the harms and the negative impact on fundamental rights identified will be mitigated.
(j) the governance system the deployer will put in place, including human oversight, complaint-handling and redress.

2. If a detailed plan to mitigate the risks outlined in the course of the assessment outlined in paragraph 1 cannot be identified, the deployer shall refrain from putting the high-risk AI system into use and inform the provider and the National supervisory authority without undue delay. National supervisory authorities, pursuant to Articles 65 and 67, shall take this information into account when investigating systems which present a risk at national level.

3. The obligation outlined under paragraph 1 applies for the first use of the high-risk AI system. The deployer may, in similar cases, draw back on previously conducted fundamental rights impact assessment or existing assessment carried out by providers. If, during the use of the high-risk AI system, the deployer considers that the criteria listed in paragraph 1 are not longer met, it shall conduct a new fundamental rights impact assessment.

4. In the course of the impact assessment, the deployer, with the exception of SMEs, shall shall notify national supervisory authority and relevant stakeholders and shall, to best extent possible, involve representatives of the persons or groups of persons that are likely to be affected by the high-risk AI system, as identified in paragraph 1, including but not limited to: equality bodies, consumer protection agencies, social partners and data protection agencies, with a view to receiving input into the impact assessment. The deployer shall allow a period of six weeks for bodies to respond. SMEs may voluntarily apply the provisions laid down in this paragraph.

In the case referred to in Article 47(1), public authorities may be exempted from this obligations.

5. The deployer that is a public authority or an undertaking referred to in Article 51(1a) (b) shall publish a summary of the results of the impact assessment as part of the registration of use pursuant to their obligation under Article 51(2).

6. Where the deployer is already required to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, the fundamental rights impact assessment referred to in paragraph 1 shall be conducted in conjunction with the data protection impact assessment. The data protection impact assessment shall be published as an addendum. 		None

CHAPTER 4: Notifying Authorities and Notified Bodies

Article 30
NumberingCommissionParliamentCouncilText proposed by the AI
Article 30Article 30
Notifying authorities		Article 30
Notifying authorities		Article 30
Notifying authorities		None
Article 30 – paragraph 11. Each Member State shall designate or establish a notifying authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring.1. Each Member State shall designate or establish a notifying authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring. Those procedures shall be developed in cooperation between the notifying authorities of all Member States.1. Each Member State shall designate or establish at least one notifying authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring.1. Each Member State shall designate or establish at least one notifying authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring. Those procedures shall be developed in cooperation between the notifying authorities of all Member States.
Article 30 – paragraph 22. Member States may designate a national accreditation body referred to in Regulation (EC) No 765/2008 as a notifying authority.2. Member States may designate a national accreditation body referred to in Regulation (EC) No 765/2008 as a notifying authority.2. Member States may decide that the assessment and monitoring referred to in paragraph 1 shall be carried out by a national accreditation body within the meaning of and in accordance with Regulation (EC) No 765/2008.2. Member States may designate or decide that the assessment, monitoring, and designation referred to in paragraph 1 shall be carried out by a national accreditation body referred to in Regulation (EC) No 765/2008 as a notifying authority.
Article 30 – paragraph 33. Notifying authorities shall be established, organised and operated in such a way that no conflict of interest arises with conformity assessment bodies and the objectivity and impartiality of their activities are safeguarded.3. Notifying authorities shall be established, organised and operated in such a way that no conflict of interest arises with conformity assessment bodies and the objectivity and impartiality of their activities are safeguarded.3. Notifying authorities shall be established, organised and operated in such a way that no conflict of interest arises with conformity assessment bodies and the objectivity and impartiality of their activities are safeguarded.3. Notifying authorities shall be established, organised and operated in such a way that no conflict of interest arises with conformity assessment bodies and the objectivity and impartiality of their activities are safeguarded.
Article 30 – paragraph 44. Notifying authorities shall be organised in such a way that decisions relating to the notification of conformity assessment bodies are taken by competent persons different from those who carried out the assessment of those bodies.4. Notifying authorities shall be organised in such a way that decisions relating to the notification of conformity assessment bodies are taken by competent persons different from those who carried out the assessment of those bodies.4. Notifying authorities shall be organised in such a way that decisions relating to the notification of conformity assessment bodies are taken by competent persons different from those who carried out the assessment of those bodies.4. Notifying authorities shall be organised in such a way that decisions relating to the notification of conformity assessment bodies are taken by competent persons different from those who carried out the assessment of those bodies.
Article 30 – paragraph 55. Notifying authorities shall not offer or provide any activities that conformity assessment bodies perform or any consultancy services on a commercial or competitive basis.5. Notifying authorities shall not offer or provide any activities that conformity assessment bodies perform or any consultancy services on a commercial or competitive basis.5. Notifying authorities shall not offer or provide any activities that conformity assessment bodies perform or any consultancy services on a commercial or competitive basis.5. Notifying authorities shall not offer or provide any activities that conformity assessment bodies perform or any consultancy services on a commercial or competitive basis.
Article 30 – paragraph 66. Notifying authorities shall safeguard the confidentiality of the information they obtain.6. Notifying authorities shall safeguard the confidentiality of the information they obtain.6. Notifying authorities shall safeguard the confidentiality of the information they obtain in accordance with Article 70.6. Notifying authorities shall safeguard the confidentiality of the information they obtain in accordance with Article 70.
Article 30 – paragraph 77. Notifying authorities shall have a sufficient number of competent personnel at their disposal for the proper performance of their tasks.7. Notifying authorities shall have a sufficient number of competent personnel at their disposal for the proper performance of their tasks. Where applicable, competent personnel shall have the necessary expertise, such as a degree in an appropriate legal field, in the supervision of fundamental rights enshrined in the Charter of Fundamental Rights of the European Union.7. Notifying authorities shall have an adequate number of competent personnel at their disposal for the proper performance of their tasks.7. Notifying authorities shall have a sufficient and adequate number of competent personnel at their disposal for the proper performance of their tasks. Where applicable, such competent personnel shall possess the necessary expertise, such as a degree in an appropriate legal field, for the supervision of fundamental rights enshrined in the Charter of Fundamental Rights of the European Union.
Article 30 – paragraph 88. Notifying authorities shall make sure that conformity assessments are carried out in a proportionate manner, avoiding unnecessary burdens for providers and that notified bodies perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure and the degree of complexity of the AI system in question.8. Notifying authorities shall make sure that conformity assessments are carried out in a proportionate and timely manner, avoiding unnecessary burdens for providers, and that notified bodies perform their activities taking due account of the size of an undertaking, the sector in which it operates, its structure and the degree of complexity of the AI system in question. Particular attention shall be paid to minimising administrative burdens and compliance costs for micro and small enterprises as defined in the Annex to Commission Recommendation 2003/361/EC.deleted8. Notifying authorities shall ensure that conformity assessments are carried out in a proportionate and timely manner, avoiding unnecessary burdens for providers. Notified bodies should perform their activities taking into account the size of an undertaking, the sector in which it operates, its structure, and the degree of complexity of the AI system in question. Special attention should be given to minimizing administrative burdens and compliance costs for micro and small enterprises as defined in the Annex to Commission Recommendation 2003/361/EC.
Article 31
NumberingCommissionParliamentCouncilText proposed by the AI
Article 31Article 31
Application of a conformity assessment body for notification		Article 31
Application of a conformity assessment body for notification		Article 31
Application of a conformity assessment body for notification		Article 31
Application of a conformity assessment body for notification
Article 31 – paragraph 11. Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established.1. Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established.1. Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established.1. Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established.
Article 31 – paragraph 22. The application for notification shall be accompanied by a description of the conformity assessment activities, the conformity assessment module or modules and the artificial intelligence technologies for which the conformity assessment body claims to be competent, as well as by an accreditation certificate, where one exists, issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 33. Any valid document related to existing designations of the applicant notified body under any other Union harmonisation legislation shall be added.2. The application for notification shall be accompanied by a description of the conformity assessment activities, the conformity assessment module or modules and the artificial intelligence technologies for which the conformity assessment body claims to be competent, as well as by an accreditation certificate, where one exists, issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 33. Any valid document related to existing designations of the applicant notified body under any other Union harmonisation legislation shall be added.2. The application for notification shall be accompanied by a description of the conformity assessment activities, the conformity assessment module or modules and the AI systems for which the conformity assessment body claims to be competent, as well as by an accreditation certificate, where one exists, issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 33. Any valid document related to existing designations of the applicant notified body under any other Union harmonisation legislation shall be added.2. The application for notification shall be accompanied by a description of the conformity assessment activities, the conformity assessment module or modules and the artificial intelligence technologies or AI systems for which the conformity assessment body claims to be competent, as well as by an accreditation certificate, where one exists, issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 33. Any valid document related to existing designations of the applicant notified body under any other Union harmonisation legislation shall be added.
Article 31 – paragraph 33. Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 33. For notified bodies which are designated under any other Union harmonisation legislation, all documents and certificates linked to those designations may be used to support their designation procedure under this Regulation, as appropriate.3. Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 33. For notified bodies which are designated under any other Union harmonisation legislation, all documents and certificates linked to those designations may be used to support their designation procedure under this Regulation, as appropriate.3. Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with all the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 33. For notified bodies which are designated under any other Union harmonisation legislation, all documents and certificates linked to those designations may be used to support their designation procedure under this Regulation, as appropriate. The notified body shall update the documentation referred to in paragraph 2 and paragraph 3 whenever relevant changes occur, in order to enable the authority responsible for notified bodies to monitor and verify continuous compliance with all the requirements laid down in Article 33.3. Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with all the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 33. For notified bodies which are designated under any other Union harmonisation legislation, all documents and certificates linked to those designations may be used to support their designation procedure under this Regulation, as appropriate. The notified body shall update the documentation referred to in this paragraph whenever relevant changes occur, in order to enable the authority responsible for notified bodies to monitor and verify continuous compliance with all the requirements laid down in Article 33.
Article 32
NumberingCommissionParliamentCouncilText proposed by the AI
Article 32Article 32
Notification procedure		Article 32
Notification procedure		Article 32
Notification procedure		None
Article 32 – paragraph 11. Notifying authorities may notify only conformity assessment bodies which have satisfied the requirements laid down in Article 33.1. Notifying authorities shall notify only conformity assessment bodies which have satisfied the requirements laid down in Article 33.1. Notifying authorities may only notify conformity assessment bodies which have satisfied the requirements laid down in Article 33.1. Notifying authorities shall only notify conformity assessment bodies which have satisfied the requirements laid down in Article 33.
Article 32 – paragraph 22. Notifying authorities shall notify the Commission and the other Member States using the electronic notification tool developed and managed by the Commission.2. Notifying authorities shall notify the Commission and the other Member States using the electronic notification tool developed and managed by the Commission of each conformity assessment body referred to in paragraph 1.2. Notifying authorities shall notify those bodies to the Commission and the other Member States using the electronic notification tool developed and managed by the Commission.2. Notifying authorities shall notify the Commission and the other Member States of each conformity assessment body referred to in paragraph 1, using the electronic notification tool developed and managed by the Commission.
Article 32 – paragraph 33. The notification shall include full details of the conformity assessment activities, the conformity assessment module or modules and the artificial intelligence technologies concerned.3.  The notification referred to in paragraph 2 shall include full details of the conformity assessment activities, the conformity assessment module or modules and the artificial intelligence technologies concerned, as well as the relevant attestation of competence.3. The notification referred to in paragraph 2 shall include full details of the conformity assessment activities, the conformity assessment module or modules and the AI systems concerned and the relevant attestation of competence. Where a notification is not based on an accreditation certificate as referred to in Article 31 (2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the conformity assessment body’s competence and the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 33.3. The notification referred to in paragraph 2 shall include full details of the conformity assessment activities, the conformity assessment module or modules, and the artificial intelligence technologies or AI systems concerned, as well as the relevant attestation of competence. Where a notification is not based on an accreditation certificate as referred to in Article 31 (2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the conformity assessment body’s competence and the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 33.
Article 32 – paragraph 44. The conformity assessment body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within one month of a notification.4. The conformity assessment body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within two weeks of the validation of the notification where it includes an accreditation certificate referred to in Article 31(2), or within two months of the notification where it incudes documentary evidence referred to in Article 31(3).4. The conformity assessment body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within two weeks of a notification by a notifying authority where it includes an accreditation certificate referred to in Article 31(2), or within two months of a notification by the notifying authority where it includes documentary evidence referred to in Article 31(3).4. The conformity assessment body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within one month of a notification by a notifying authority. This period is reduced to two weeks if the notification includes an accreditation certificate referred to in Article 31(2), or extended to two months if the notification includes documentary evidence referred to in Article 31(3).
Article 32 – paragraph 4a (new)4a. Where objections are raised, the Commission shall without delay enter into consultation with the relevant Member States and the conformity assessment body. In view thereof, the Commission shall decide whether the authorisation is justified or not. The Commission shall address its decision to the Member State concerned and the relevant conformity assessment body.In the event of objections being raised, the Commission shall promptly initiate consultation with the relevant Member States and the conformity assessment body. Following these consultations, the Commission shall make a determination on whether the authorisation is justified. The Commission’s decision shall be communicated to the concerned Member State and the relevant conformity assessment body.
Article 32 – paragraph 4b (new)4b. Member States shall notify the Commission and the other Member States of conformity assessment bodies.Member States shall notify the Commission and the other Member States of conformity assessment bodies.
Article 32 – paragraph 55. Notifying authorities shall notify the Commission and the other Member States of any subsequent relevant changes to the notification.5. Notifying authorities shall notify the Commission and the other Member States of any subsequent relevant changes to the notification.deleted5. Notifying authorities shall notify the Commission and the other Member States of any subsequent relevant changes to the notification.
Article 33
NumberingCommissionParliamentCouncilText proposed by the AI
Article 33Article 33
Notified bodies		Article 33
Notified bodies		Article 33
Requirements relating to notified bodies		Article 33
Notified Bodies and Requirements Relating to Them
Article 33 – paragraph 11. Notified bodies shall verify the conformity of high-risk AI system in accordance with the conformity assessment procedures referred to in Article 43.1. Notified bodies shall verify the conformity of high-risk AI system in accordance with the conformity assessment procedures referred to in Article 43.1. A notified body shall be established under national law and have legal personality.1. Notified bodies, established under national law and possessing legal personality, shall verify the conformity of high-risk AI systems in accordance with the conformity assessment procedures referred to in Article 43.
Article 33 – paragraph 22. Notified bodies shall satisfy the organisational, quality management, resources and process requirements that are necessary to fulfil their tasks.2. Notified bodies shall satisfy the organisational, quality management, resources and process requirements that are necessary to fulfil their tasks as well as the minimum cybersecurity requirements set out for public administration entities identified as operators of essential services pursuant to Directive (EU 2022/2555).2. Notified bodies shall satisfy the organisational, quality management, resources and process requirements that are necessary to fulfil their tasks.2. Notified bodies shall satisfy the organisational, quality management, resources and process requirements that are necessary to fulfil their tasks, including the minimum cybersecurity requirements set out for public administration entities identified as operators of essential services pursuant to Directive (EU 2022/2555), where applicable.
Article 33 – paragraph 33. The organisational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall be such as to ensure that there is confidence in the performance by and in the results of the conformity assessment activities that the notified bodies conduct.3. The organisational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall be such as to ensure that there is confidence in the performance by and in the results of the conformity assessment activities that the notified bodies conduct.3. The organisational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall be such as to ensure that there is confidence in the performance by and in the results of the conformity assessment activities that the notified bodies conduct.3. The organisational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall be such as to ensure that there is confidence in the performance by and in the results of the conformity assessment activities that the notified bodies conduct.
Article 33 – paragraph 44. Notified bodies shall be independent of the provider of a high-risk AI system in relation to which it performs conformity assessment activities. Notified bodies shall also be independent of any other operator having an economic interest in the high-risk AI system that is assessed, as well as of any competitors of the provider.4. Notified bodies shall be independent of the provider of a high-risk AI system in relation to which it performs conformity assessment activities. Notified bodies shall also be independent of any other operator having an economic interest in the high-risk AI system that is assessed, as well as of any competitors of the provider. This shall not preclude the use of assessed AI systems that are necessary for the operations of the conformity assessment body or the use of such systems for personal purposes.4. Notified bodies shall be independent of the provider of a high-risk AI system in relation to which it performs conformity assessment activities. Notified bodies shall also be independent of any other operator having an economic interest in the high-risk AI system that is assessed, as well as of any competitors of the provider.4. Notified bodies shall be independent of the provider of a high-risk AI system in relation to which it performs conformity assessment activities. Notified bodies shall also be independent of any other operator having an economic interest in the high-risk AI system that is assessed, as well as of any competitors of the provider. This shall not preclude the use of assessed AI systems that are necessary for the operations of the conformity assessment body or the use of such systems for personal purposes.
Article 33 – paragraph 4a (new)4a. A conformity assessment pursuant to paragraph 1 shall be performed by employees of notified bodies who have not provided any other other service related to the matter assessed than the conformity assessment to the provider of a high-risk AI system nor to any legal person connected to that provider in the 12 months’ period before the assessment and have committed to not providing them with such services in the 12 month period following the completion of the assessment.The conformity assessment as per paragraph 1 should be conducted by the personnel of notified bodies. These individuals must not have offered any service related to the subject of the assessment other than the conformity assessment itself to the provider of a high-risk AI system or any legally connected entity in the 12 months prior to the assessment. Furthermore, they must commit to not providing such services for a 12 month period following the completion of the assessment.
Article 33 – paragraph 55. Notified bodies shall be organised and operated so as to safeguard the independence, objectivity and impartiality of their activities. Notified bodies shall document and implement a structure and procedures to safeguard impartiality and to promote and apply the principles of impartiality throughout their organisation, personnel and assessment activities.5. Notified bodies shall be organised and operated so as to safeguard the independence, objectivity and impartiality of their activities. Notified bodies shall document and implement a structure and procedures to safeguard impartiality and to promote and apply the principles of impartiality throughout their organisation, personnel and assessment activities.5. Notified bodies shall be organised and operated so as to safeguard the independence, objectivity and impartiality of their activities. Notified bodies shall document and implement a structure and procedures to safeguard impartiality and to promote and apply the principles of impartiality throughout their organisation, personnel and assessment activities.5. Notified bodies shall be organised and operated so as to safeguard the independence, objectivity and impartiality of their activities. Notified bodies shall document and implement a structure and procedures to safeguard impartiality and to promote and apply the principles of impartiality throughout their organisation, personnel and assessment activities.
Article 33 – paragraph 66. Notified bodies shall have documented procedures in place ensuring that their personnel, committees, subsidiaries, subcontractors and any associated body or personnel of external bodies respect the confidentiality of the information which comes into their possession during the performance of conformity assessment activities, except when disclosure is required by law. The staff of notified bodies shall be bound to observe professional secrecy with regard to all information obtained in carrying out their tasks under this Regulation, except in relation to the notifying authorities of the Member State in which their activities are carried out.6. Notified bodies shall have documented procedures in place ensuring that their personnel, committees, subsidiaries, subcontractors and any associated body or personnel of external bodies respect the confidentiality of the information which comes into their possession during the performance of conformity assessment activities, except when disclosure is required by law. The staff of notified bodies shall be bound to observe professional secrecy with regard to all information obtained in carrying out their tasks under this Regulation, except in relation to the notifying authorities of the Member State in which their activities are carried out. Any information and documentation obtained by notified bodies pursuant to the provisions of this Article shall be treated in compliance with the confidentiality obligations set out in Article 70.6. Notified bodies shall have documented procedures in place ensuring that their personnel, committees, subsidiaries, subcontractors and any associated body or personnel of external bodies respect the confidentiality of the information in accordance with Article 70 which comes into their possession during the performance of conformity assessment activities, except when disclosure is required by law. The staff of notified bodies shall be bound to observe professional secrecy with regard to all information obtained in carrying out their tasks under this Regulation, except in relation to the notifying authorities of the Member State in which their activities are carried out.6. Notified bodies shall have documented procedures in place ensuring that their personnel, committees, subsidiaries, subcontractors and any associated body or personnel of external bodies respect the confidentiality of the information in accordance with Article 70, which comes into their possession during the performance of conformity assessment activities, except when disclosure is required by law. The staff of notified bodies shall be bound to observe professional secrecy with regard to all information obtained in carrying out their tasks under this Regulation, except in relation to the notifying authorities of the Member State in which their activities are carried out. Any information and documentation obtained by notified bodies pursuant to the provisions of this Article shall be treated in compliance with the confidentiality obligations set out in Article 70.
Article 33 – paragraph 77. Notified bodies shall have procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the AI system in question.7. Notified bodies shall have procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the AI system in question.7. Notified bodies shall have procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the AI system in question.7. Notified bodies shall have procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the AI system in question.
Article 33 – paragraph 88. Notified bodies shall take out appropriate liability insurance for their conformity assessment activities, unless liability is assumed by the Member State concerned in accordance with national law or that Member State is directly responsible for the conformity assessment.8. Notified bodies shall take out appropriate liability insurance for their conformity assessment activities, unless liability is assumed by the Member State concerned in accordance with national law or that Member State is directly responsible for the conformity assessment.8. Notified bodies shall take out appropriate liability insurance for their conformity assessment activities, unless liability is assumed by the Member State in which they are located in accordance with national law or that Member State is itself directly responsible for the conformity assessment.8. Notified bodies shall take out appropriate liability insurance for their conformity assessment activities, unless liability is assumed by the Member State concerned or the Member State in which they are located, in accordance with national law or that Member State is directly responsible or itself directly responsible for the conformity assessment.
Article 33 – paragraph 99. Notified bodies shall be capable of carrying out all the tasks falling to them under this Regulation with the highest degree of professional integrity and the requisite competence in the specific field, whether those tasks are carried out by notified bodies themselves or on their behalf and under their responsibility.9. Notified bodies shall be capable of carrying out all the tasks falling to them under this Regulation with the highest degree of professional integrity and the requisite competence in the specific field, whether those tasks are carried out by notified bodies themselves or on their behalf and under their responsibility.9. Notified bodies shall be capable of carrying out all the tasks falling to them under this Regulation with the highest degree of professional integrity and the requisite competence in the specific field, whether those tasks are carried out by notified bodies themselves or on their behalf and under their responsibility.9. Notified bodies shall be capable of carrying out all the tasks falling to them under this Regulation with the highest degree of professional integrity and the requisite competence in the specific field, whether those tasks are carried out by notified bodies themselves or on their behalf and under their responsibility.
Article 33 – paragraph 1010. Notified bodies shall have sufficient internal competences to be able to effectively evaluate the tasks conducted by external parties on their behalf. To that end, at all times and for each conformity assessment procedure and each type of high-risk AI system in relation to which they have been designated, the notified body shall have permanent availability of sufficient administrative, technical and scientific personnel who possess experience and knowledge relating to the relevant artificial intelligence technologies, data and data computing and to the requirements set out in Chapter 2 of this Title.10. Notified bodies shall have sufficient internal competences to be able to effectively evaluate the tasks conducted by external parties on their behalf. To that end, at all times and for each conformity assessment procedure and each type of high-risk AI system in relation to which they have been designated, the notified body shall have permanent availability of sufficient administrative, technical and scientific personnel who possess experience and knowledge relating to the relevant artificial intelligence technologies, data and data computing and to the requirements set out in Chapter 2 of this Title.10. Notified bodies shall have sufficient internal competences to be able to effectively evaluate the tasks conducted by external parties on their behalf. The notified body shall have permanent availability of sufficient administrative, technical, legal and scientific personnel who possess experience and knowledge relating to the relevant artificial intelligence technologies, data and data computing and to the requirements set out in Chapter 2 of this Title.10. Notified bodies shall have sufficient internal competences to be able to effectively evaluate the tasks conducted by external parties on their behalf. To that end, at all times and for each conformity assessment procedure and each type of high-risk AI system in relation to which they have been designated, the notified body shall have permanent availability of sufficient administrative, technical, legal and scientific personnel who possess experience and knowledge relating to the relevant artificial intelligence technologies, data and data computing and to the requirements set out in Chapter 2 of this Title.
Article 33 – paragraph 1111. Notified bodies shall participate in coordination activities as referred to in Article 38. They shall also take part directly or be represented in European standardisation organisations, or ensure that they are aware and up to date in respect of relevant standards.11. Notified bodies shall participate in coordination activities as referred to in Article 38. They shall also take part directly or be represented in European standardisation organisations, or ensure that they are aware and up to date in respect of relevant standards.11. Notified bodies shall participate in coordination activities as referred to in Article 38. They shall also take part directly or be represented in European standardisation organisations, or ensure that they are aware and up to date in respect of relevant standards.11. Notified bodies shall participate in coordination activities as referred to in Article 38. They shall also take part directly or be represented in European standardisation organisations, or ensure that they are aware and up to date in respect of relevant standards.
Article 33 – paragraph 1212. Notified bodies shall make available and submit upon request all relevant documentation, including the providers’ documentation, to the notifying authority referred to in Article 30 to allow it to conduct its assessment, designation, notification, monitoring and surveillance activities and to facilitate the assessment outlined in this Chapter.12. Notified bodies shall make available and submit upon request all relevant documentation, including the providers’ documentation, to the notifying authority referred to in Article 30 to allow it to conduct its assessment, designation, notification, monitoring and surveillance activities and to facilitate the assessment outlined in this Chapter.deletedNone
Article 33a (new)Article 33a
Presumption of conformity with requirements relating to notified bodies

Where a conformity assessment body demonstrates its conformity with the criteria laid down in the relevant harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union it shall be presumed to comply with the requirements set out in Article 33 in so far as the applicable harmonised standards cover those requirements.		Article 33a
Presumption of conformity with requirements relating to notified bodies

A conformity assessment body shall be presumed to comply with the requirements set out in Article 33, provided it demonstrates its conformity with the criteria outlined in the relevant harmonised standards or parts thereof. The references of these standards must have been published in the Official Journal of the European Union. This presumption is valid as long as the applicable harmonised standards cover the requirements mentioned in Article 33.
Article 34
NumberingCommissionParliamentCouncilText proposed by the AI
Article 34Article 34
Subsidiaries of and subcontracting by notified bodies		Article 34
Subsidiaries of and subcontracting by notified bodies		Article 34
Subsidiaries of and subcontracting by notified bodies		Article 34
Subsidiaries of and subcontracting by notified bodies
Article 34 – paragraph 11. Where a notified body subcontracts specific tasks connected with the conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements laid down in Article 33 and shall inform the notifying authority accordingly.1. Where a notified body subcontracts specific tasks connected with the conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements laid down in Article 33 and shall inform the notifying authority accordingly.1. Where a notified body subcontracts specific tasks connected with the conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements laid down in Article 33 and shall inform the notifying authority accordingly.1. Where a notified body subcontracts specific tasks connected with the conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements laid down in Article 33 and shall inform the notifying authority accordingly.
Article 34 – paragraph 22. Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever these are established.2. Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever these are established.2. Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever these are established.2. Notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever these are established.
Article 34 – paragraph 33. Activities may be subcontracted or carried out by a subsidiary only with the agreement of the provider.3. Activities may be subcontracted or carried out by a subsidiary only with the agreement of the provider. Notified bodies shall make a list of their subsidiaries publicly available.3. Activities may be subcontracted or carried out by a subsidiary only with the agreement of the provider.3. Activities may be subcontracted or carried out by a subsidiary only with the agreement of the provider. Notified bodies shall make a list of their subsidiaries publicly available.
Article 34 – paragraph 44. Notified bodies shall keep at the disposal of the notifying authority the relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation.4. Notified bodies shall keep at the disposal of the notifying authority the relevant documents concerning the verification of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation.4. The relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation shall be kept at the disposal of the notifying authority for a period of 5 years from the termination date of the subcontracting activity.4. Notified bodies shall keep at the disposal of the notifying authority the relevant documents concerning the assessment and verification of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation. These documents shall be kept for a period of 5 years from the termination date of the subcontracting activity.
Article 34a (new)Article 34a
Operational obligations of notified bodies

1. Notified bodies shall verify the conformity of high-risk AI system in accordance with the conformity assessment procedures referred to in Article 43.

2. Notified bodies shall perform their activities while avoiding unnecessary burdens for providers, and taking due account of the size of an undertaking, the sector in which it operates, its structure and the degree of complexity of the high risk AI system in question. In so doing, the notified body shall nevertheless respect the degree of rigour and the level of protection required for the compliance of the high risk AI system with the requirements of this Regulation.

3. Notified bodies shall make available and submit upon request all relevant documentation, including the providers’ documentation, to the notifying authority referred to in Article 30 to allow that authority to conduct its assessment, designation, notification, monitoring activities and to facilitate the assessment outlined in this Chapter.		Article 34a
Operational obligations of notified bodies

1. Notified bodies shall verify the conformity of high-risk AI systems in accordance with the conformity assessment procedures referred to in Article 43.

2. Notified bodies shall carry out their activities while avoiding unnecessary burdens for providers, taking into consideration the size of an undertaking, the sector in which it operates, its structure, and the degree of complexity of the high-risk AI system in question. However, the notified body shall maintain the degree of rigour and the level of protection required for the compliance of the high-risk AI system with the requirements of this Regulation.

3. Notified bodies shall provide and submit upon request all relevant documentation, including the providers’ documentation, to the notifying authority referred to in Article 30. This is to allow the authority to conduct its assessment, designation, notification, and monitoring activities, and to facilitate the assessment outlined in this Chapter.
Article 35
NumberingCommissionParliamentCouncilText proposed by the AI
Article 35Article 35
Identification numbers and lists of notified bodies designated under this Regulation		Article 35
Identification numbers and lists of notified bodies		Article 35
Identification numbers and lists of notified bodies designated under this Regulation		Article 35
Identification numbers and lists of notified bodies designated under this Regulation
Article 35 – paragraph 11. The Commission shall assign an identification number to notified bodies. It shall assign a single number, even where a body is notified under several Union acts.1. The Commission shall assign an identification number to notified bodies. It shall assign a single number, even where a body is notified under several Union acts.1. The Commission shall assign an identification number to notified bodies. It shall assign a single number, even where a body is notified under several Union acts.1. The Commission shall assign an identification number to notified bodies. It shall assign a single number, even where a body is notified under several Union acts.
Article 35 – paragraph 22. The Commission shall make publicly available the list of the bodies notified under this Regulation, including the identification numbers that have been assigned to them and the activities for which they have been notified. The Commission shall ensure that the list is kept up to date.2. The Commission shall make publicly available the list of the bodies notified under this Regulation, including the identification numbers that have been assigned to them and the activities for which they have been notified. The Commission shall ensure that the list is kept up to date.2. The Commission shall make publicly available the list of the bodies notified under this Regulation, including the identification numbers that have been assigned to them and the activities for which they have been notified. The Commission shall ensure that the list is kept up to date.2. The Commission shall make publicly available the list of the bodies notified under this Regulation, including the identification numbers that have been assigned to them and the activities for which they have been notified. The Commission shall ensure that the list is kept up to date.
Article 36
NumberingCommissionParliamentCouncilText proposed by the AI
Article 36Article 36
Changes to notifications		Article 36
Changes to notifications		Article 36
Changes to notifications		Article 36
Changes to notifications
Article 36 – paragraph -1 (new)1. The notifying authority shall notify the Commission and the other Member States of any relevant changes to the notification of a notified body via the electronic notification tool referred to in Article 32(2).The notifying authority is required to inform the Commission and the other Member States about any significant modifications to the notification of a notified body through the electronic notification tool mentioned in Article 32(2).
Article 36 – paragraph -1a (new)2. The procedures described in Article 31 and 32 shall apply to extensions of the scope of the notification. For changes to the notification other than extensions of its scope, the procedures laid down in the following paragraphs shall apply.

Where a notified body decides to cease its conformity assessment activities it shall inform the notifying authority and the providers concerned as soon as possible and in the case of a planned cessation one year before ceasing its activities. The certificates may remain valid for a temporary period of nine months after cessation of the notified body’s activities on condition that another notified body has confirmed in writing that it will assume responsibilities for the AI systems covered by those certificates. The new notified body shall complete a full assessment of the AI systems affected by the end of that period before issuing new certificates for those systems. Where the notified body has ceased its activity, the notifying authority shall withdraw the designation.		The procedures outlined in Article 31 and 32 shall be applicable for extensions of the scope of the notification. For changes to the notification other than extensions of its scope, the procedures specified in the subsequent paragraphs shall be followed.

In the event a notified body decides to discontinue its conformity assessment activities, it is required to inform the notifying authority and the concerned providers as soon as possible. In case of a planned cessation, the notifying authority should be informed one year prior to ceasing its activities.

The certificates may remain valid for a temporary period of nine months after the cessation of the notified body’s activities, provided another notified body has confirmed in writing that it will assume responsibilities for the AI systems covered by those certificates.

The new notified body is required to complete a full assessment of the AI systems affected by the end of that period before issuing new certificates for those systems. In cases where the notified body has ceased its activity, the notifying authority is obligated to withdraw the designation.
Article 36 – paragraph 11. Where a notifying authority has suspicions or has been informed that a notified body no longer meets the requirements laid down in Article 33, or that it is failing to fulfil its obligations, that authority shall without delay investigate the matter with the utmost diligence. In that context, it shall inform the notified body concerned about the objections raised and give it the possibility to make its views known. If the notifying authority comes to the conclusion that the notified body investigation no longer meets the requirements laid down in Article 33 or that it is failing to fulfil its obligations, it shall restrict, suspend or withdraw the notification as appropriate, depending on the seriousness of the failure. It shall also immediately inform the Commission and the other Member States accordingly.1. Where a notifying authority has suspicions or has been informed that a notified body no longer meets the requirements laid down in Article 33, or that it is failing to fulfil its obligations, that authority shall without delay investigate the matter with the utmost diligence. In that context, it shall inform the notified body concerned about the objections raised and give it the possibility to make its views known. If the notifying authority comes to the conclusion that the notified body no longer meets the requirements laid down in Article 33 or that it is failing to fulfil its obligations, it shall restrict, suspend or withdraw the notification as appropriate, depending on the seriousness of the failure. It shall also immediately inform the Commission and the other Member States accordingly.3. Where a notifying authority has sufficient reasons to consider that a notified body no longer meets the requirements laid down in Article 33, or that it is failing to fulfil its obligations, the notifying authority shall, provided that the the notified body had the opportunity to make its views known, restrict, suspend or withdraw notification as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations. It shall immediately inform the Commission and the other Member States accordingly.Where a notifying authority has suspicions or has been informed, or has sufficient reasons to consider that a notified body no longer meets the requirements laid down in Article 33, or that it is failing to fulfil its obligations, that authority shall without delay investigate the matter with the utmost diligence. In that context, it shall inform the notified body concerned about the objections raised and give it the possibility to make its views known. Provided that the notified body had the opportunity to make its views known, if the notifying authority comes to the conclusion that the notified body no longer meets the requirements laid down in Article 33 or that it is failing to fulfil its obligations, it shall restrict, suspend or withdraw the notification as appropriate, depending on the seriousness of the failure. It shall also immediately inform the Commission and the other Member States accordingly.
Article 36 – paragraph 1a (new)4. Where its designation has been suspended, restricted, or fully or partially withdrawn, the notified body shall inform the manufacturers concerned at the latest within 10 days.In the event of a suspension, restriction, or full or partial withdrawal of its designation, the notified body is required to inform the relevant manufacturers within a maximum period of 10 days.
Article 36 – paragraph 22. In the event of restriction, suspension or withdrawal of notification, or where the notified body has ceased its activity, the notifying authority shall take appropriate steps to ensure that the files of that notified body are either taken over by another notified body or kept available for the responsible notifying authorities at their request.2. In the event of restriction, suspension or withdrawal of notification, or where the notified body has ceased its activity, the notifying authority shall take appropriate steps to ensure that the files of that notified body are either taken over by another notified body or kept available for the responsible notifying authorities, and market surveillance authority at their request.5. In the event of restriction, suspension or withdrawal of a notification, the notifying authority shall take appropriate steps to ensure that the files of the notified body concerned are kept and make them available to notifying authorities in other Member States and to market surveillance authorities at their request.In the event of restriction, suspension or withdrawal of notification, or where the notified body has ceased its activity, the notifying authority shall take appropriate steps to ensure that the files of that notified body are either taken over by another notified body or kept available. These files should be made available to the responsible notifying authorities in other Member States, and to market surveillance authorities at their request.
Article 36 – paragraph 2a (new)6. In the event of restriction, suspension or withdrawal of a designation, the notifying authority shall:
a) assess the impact on the certificates issued by the notified body;
b) submit a report on its findings to the Commission and the other Member States within three months of having notified the changes to the notification;
c) require the notified body to suspend or withdraw, within a reasonable period of time determined by the authority, any certificates which were unduly issued in order to ensure the conformity of AI systems on the market;
d) inform the Commission and the Member States about certificates of which it has required their suspension or withdrawal;
e) provide the national competent authorities of the Member State in which the provider has its registered place of business with all relevant information about the certificates for which it has required suspension or withdrawal.

That competent authority shall take the appropriate measures, where necessary, to avoid a potential risk to health, safety or fundamental rights.		In the event of restriction, suspension or withdrawal of a designation, the notifying authority is required to:

a) Evaluate the impact on the certificates issued by the notified body;
b) Prepare a report on its findings and submit it to the Commission and the other Member States within three months of having notified the changes to the notification;
c) Instruct the notified body to suspend or withdraw, within a reasonable timeframe determined by the authority, any certificates which were unduly issued to ensure the conformity of AI systems on the market;
d) Notify the Commission and the Member States about certificates of which it has required their suspension or withdrawal;
e) Supply the national competent authorities of the Member State where the provider has its registered place of business with all relevant information about the certificates for which it has required suspension or withdrawal.

The competent authority should then take the necessary measures to prevent a potential risk to health, safety or fundamental rights.
Article 36 – paragraph 2b (new)7. With the exception of certificates unduly issued, and where a notification has been suspended or restricted, the certificates shall remain valid in the following circumstances:

a) the notifying authority has confirmed, within one month of the suspension or restriction, that there is no risk to health, safety or fundamental rights in relation to certificates affected by the suspension or restriction, and the notifying authority has outlined a timeline and actions anticipated to remedy the suspension or restriction; or

b) the notifying authority has confirmed that no certificates relevant to the suspension will be issued, amended or re-issued during the course of the suspension or restriction, and states whether the notified body has the capability of continuing to monitor and remain responsible for existing certificates issued for the period of the suspension or restriction. In the event that the authority responsible for notified bodies determines that the notified body does not have the capability to support existing certificates issued, the provider shall provide to the national competent authorities of the Member State in which the provider of the system covered by the certificate has its registered place of business, within three months of the suspension or restriction, a written confirmation that another qualified notified body is temporarily assuming the functions of the notified body to monitor and remain responsible for the certificates during the period of suspension or restriction.		The certificates, excluding those unduly issued, shall remain valid under the following conditions, unless a notification has been suspended or restricted:

a) The notifying authority must confirm within one month of the suspension or restriction that there is no risk to health, safety, or fundamental rights in relation to the certificates affected by the suspension or restriction. The notifying authority must also provide a timeline and planned actions to remedy the suspension or restriction.

b) The notifying authority must confirm that no certificates relevant to the suspension will be issued, amended, or re-issued during the suspension or restriction. The notifying authority must also state whether the notified body has the ability to continue monitoring and remain responsible for existing certificates issued for the duration of the suspension or restriction.

In the event that the authority responsible for notified bodies determines that the notified body does not have the capability to support existing certificates issued, the provider must provide to the national competent authorities of the Member State in which the provider of the system covered by the certificate has its registered place of business, within three months of the suspension or restriction, a written confirmation that another qualified notified body is temporarily assuming the functions of the notified body to monitor and remain responsible for the certificates during the period of suspension or restriction.
Article 36 – paragraph 2c (new)8. With the exception of certificates unduly issued, and where a designation has been withdrawn, the certificates shall remain valid for a period of nine months in the following circumstances:

a) where the national competent authority of the Member State in which the provider of the AI system covered by the certificate has its registered place of business has confirmed that there is no risk to health, safety and fundamental rights associated with the systems in question; and

b) another notified body has confirmed in writing that it will assume immediate responsibilities for those systems and will have completed assessment of them within twelve months of the withdrawal of the designation.

In the circumstances referred to in the first subparagraph, the national competent authority of the Member State in which the provider of the system covered by the certificate has its place of business may extend the provisional validity of the certificates for further periods of three months, which altogether shall not exceed twelve months.

The national competent authority or the notified body assuming the functions of the notified body affected by the change of notification shall immediately inform the Commission, the other Member States and the other notified bodies thereof.		The certificates, excluding those unduly issued or where a designation has been withdrawn, shall remain valid for a period of nine months under the following conditions:

a) The national competent authority of the Member State where the provider of the AI system covered by the certificate has its registered place of business has confirmed that there is no risk to health, safety, and fundamental rights associated with the systems in question; and

b) Another notified body has confirmed in writing that it will assume immediate responsibilities for those systems and will have completed assessment of them within twelve months of the withdrawal of the designation.

In the circumstances mentioned above, the national competent authority of the Member State where the provider of the system covered by the certificate has its place of business may extend the provisional validity of the certificates for further periods of three months, which altogether shall not exceed twelve months.

The national competent authority or the notified body assuming the functions of the notified body affected by the change of notification shall immediately inform the Commission, the other Member States, and the other notified bodies thereof.
Article 37
NumberingCommissionParliamentCouncilText proposed by the AI
Article 37Article 37
Challenge to the competence of notified bodies		Article 37
Challenge to the competence of notified bodies		Article 37
Challenge to the competence of notified bodies		Article 37
Challenge to the competence of notified bodies
Article 37 – paragraph 11. The Commission shall, where necessary, investigate all cases where there are reasons to doubt whether a notified body complies with the requirements laid down in Article 33.1. The Commission shall, where necessary, investigate all cases where there are reasons to doubt the competence of a notified body or the continued fulfilment by a notified body of the applicable requirements and responsibilities.1. The Commission shall, where necessary, investigate all cases where there are reasons to doubt whether a notified body complies with the requirements laid down in Article 33.1. The Commission shall, where necessary, investigate all cases where there are reasons to doubt the competence of a notified body, whether a notified body complies with the requirements laid down in Article 33, or the continued fulfilment by a notified body of the applicable requirements and responsibilities.
Article 37 – paragraph 22. The Notifying authority shall provide the Commission, on request, with all relevant information relating to the notification of the notified body concerned.2. The Notifying authority shall provide the Commission, on request, with all relevant information relating to the notification or the maintenance of the competence of the notified body concerned.2. The notifying authority shall provide the Commission, on request, with all relevant information relating to the notification of the notified body concerned.2. The Notifying authority shall provide the Commission, on request, with all relevant information relating to the notification or the maintenance of the competence of the notified body concerned.
Article 37 – paragraph 33. The Commission shall ensure that all confidential information obtained in the course of its investigations pursuant to this Article is treated confidentially.3. The Commission shall ensure that all sensitive information obtained in the course of its investigations pursuant to this Article is treated confidentially.3. The Commission shall ensure that all confidential information obtained in the course of its investigations pursuant to this Article is treated confidentially in accordance with Article 70.3. The Commission shall ensure that all sensitive and confidential information obtained in the course of its investigations pursuant to this Article is treated confidentially in accordance with Article 70.
Article 37 – paragraph 44. Where the Commission ascertains that a notified body does not meet or no longer meets the requirements laid down in Article 33, it shall adopt a reasoned decision requesting the notifying Member State to take the necessary corrective measures, including withdrawal of notification if necessary. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).4.  Where the Commission ascertains that a notified body does not meet or no longer meets the requirements for its notification, it shall inform the notifying Member State accordingly and request it to take the necessary corrective measures, including suspension or withdrawal of the notification if necessary. Where the Member State fails to take the necessary corrective measures, the Commission may, by means of an implementing act, suspend, restrict or withdraw the designation. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).4. Where the Commission ascertains that a notified body does not meet or no longer meets the requirements laid down in Article 33, it shall inform the notifying authority of the reasons of such an ascertainment and request it to take the necessary corrective measures, including the suspension, restriction or withdrawal of the designation if necessary. Where the notifying authority fails to take the necessary corrective measures, the Commission may, by means of implementing acts, suspend, restrict or withdraw the notification. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).4. Where the Commission ascertains that a notified body does not meet or no longer meets the requirements laid down in Article 33, it shall adopt a reasoned decision and inform the notifying Member State or authority of the reasons for such an ascertainment. The Commission shall request the notifying Member State or authority to take the necessary corrective measures, including suspension, restriction or withdrawal of the notification or designation if necessary. If the notifying Member State or authority fails to take the necessary corrective measures, the Commission may, by means of an implementing act, suspend, restrict or withdraw the notification or designation. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).
Article 38
NumberingCommissionParliamentCouncilText proposed by the AI
Article 38 Article 38
Coordination of notified bodies		Article 38
Coordination of notified bodies		Article 38
Coordination of notified bodies		Article 38
Coordination of notified bodies
Article 38 – paragraph 11. The Commission shall ensure that, with regard to the areas covered by this Regulation, appropriate coordination and cooperation between notified bodies active in the conformity assessment procedures of AI systems pursuant to this Regulation are put in place and properly operated in the form of a sectoral group of notified bodies.1. The Commission shall ensure that, with regard to the areas covered by this Regulation, appropriate coordination and cooperation between notified bodies active in the conformity assessment procedures of AI systems pursuant to this Regulation are put in place and properly operated in the form of a sectoral group of notified bodies.1. The Commission shall ensure that, with regard to high-risk AI systems, appropriate coordination and cooperation between notified bodies active in the conformity assessment procedures pursuant to this Regulation are put in place and properly operated in the form of a sectoral group of notified bodies.1. The Commission shall ensure that, with regard to the areas covered by this Regulation and specifically high-risk AI systems, appropriate coordination and cooperation between notified bodies active in the conformity assessment procedures pursuant to this Regulation are put in place and properly operated in the form of a sectoral group of notified bodies.
Article 38 – paragraph 2 a (new)2. Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives.2. Member States shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives.2. The notifying authority shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives.2. Member States and the notifying authority shall ensure that the bodies notified by them participate in the work of that group, directly or by means of designated representatives.
Article 38 – paragraph 2a (new)2a. The Commission shall provide for the exchange of knowledge and best practices between the Member States’ national authorities responsible for notification policy.The Commission shall facilitate the exchange of knowledge and best practices among the national authorities of the Member States responsible for notification policy.
Article 39
NumberingCommissionParliamentCouncilText proposed by the AI
Article 39Article 39
Conformity assessment bodies of third countries		Article 39
Conformity assessment bodies of third countries		Article 39
Conformity assessment bodies of third countries		Article 39
Conformity assessment bodies of third countries
Article 39 – paragraph Conformity assessment bodies established under the law of a third country with which the Union has concluded an agreement may be authorised to carry out the activities of notified Bodies under this Regulation.Conformity assessment bodies established under the law of a third country with which the Union has concluded an agreement may be authorised to carry out the activities of notified Bodies under this Regulation.Conformity assessment bodies established under the law of a third country with which the Union has concluded an agreement may be authorised to carry out the activities of notified Bodies under this Regulation, provided that they meet the requirements in Article 33.Conformity assessment bodies established under the law of a third country with which the Union has concluded an agreement may be authorised to carry out the activities of notified Bodies under this Regulation, provided that they meet the requirements in Article 33.

CHAPTER 5: Standards, Conformity Assessment, Certificates, Registration

Article 40
NumberingCommissionParliamentCouncilText proposed by the AI
Article 40Article 40
Harmonised standards		Article 40
Harmonised standards		Article 40
Harmonised standards		Article 40
Harmonised standards
Article 40 – paragraph 1High-risk AI systems which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title, to the extent those standards cover those requirements.1. High-risk AI systems and foundation models which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union in accordance with Regulation (EU) 1025/2012 shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title or Article 28b, to the extent those standards cover those requirements.1. High-risk AI systems or general purpose AI systems which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title or, as applicable, with requirements set out in Article 4a and Article 4b, to the extent those standards cover those requirements.1. High-risk AI systems, foundation models, or general purpose AI systems which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union in accordance with Regulation (EU) 1025/2012 shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title, Article 28b, or, as applicable, with requirements set out in Article 4a and Article 4b, to the extent those standards cover those requirements.
Article 40 – paragraph 1a (new)1a. The Commission shall issue standardisation requests covering all requirements of this Regulation, in accordance with Article 10 of Regulation EU (No)1025/2012 by… [two months after the date of entry into force of this Regulation]. When preparing standardisation request, the Commission shall consult the AI Office and the Advisory Forum; The Commission shall, within two months after the date of entry into force of this Regulation, issue standardisation requests that cover all requirements of this Regulation, in accordance with Article 10 of Regulation EU (No)1025/2012. In the preparation of the standardisation request, the Commission shall consult with the AI Office and the Advisory Forum.
Article 40 – paragraph 1b [P] / paragraph 2 [C] (new)1b. When issuing a standardisation request to European standardisation organisations, the Commission shall specify that standards have to be consistent, including with the sectorial law listed in Annex II, and aimed at ensuring that AI systems or foundation models placed on the market or put into service in the Union meet the relevant requirements laid down in this Regulation;2. When issuing a standardisation request to European standardisation organisations in accordance with Article 10 of Regulation 1025/2012, the Commission shall specify that standards are coherent, clear and drafted in such a way that they aim to fulfil in particular the following objectives:

a) ensure that AI systems placed on the market or put into service in the Union are safe and respect Union values and strengthen the Union’s open strategic autonomy;

b) promote investment and innovation in AI, including through increasing legal certainty, as well as competitiveness and growth of the Union market;

c) enhance multistakeholder governance, representative of all relevant European stakeholders (e.g. industry, SMEs, civil society, researchers);

(d) contribute to strengthening global cooperation on standardisation in the field of AI that is consistent with Union values and interests.

The Commission shall request the European standardisation organisations to provide evidence of their best efforts to fulfil the above objectives.		When issuing a standardisation request to European standardisation organisations in accordance with Article 10 of Regulation 1025/2012, the Commission shall specify that standards are to be consistent, coherent, clear, and drafted in such a way that they aim to ensure that AI systems or foundation models placed on the market or put into service in the Union meet the relevant requirements laid down in this Regulation and the sectorial law listed in Annex II.

The standards should aim to fulfil the following objectives:

a) Ensure that AI systems placed on the market or put into service in the Union are safe, respect Union values, and strengthen the Union’s open strategic autonomy;

b) Promote investment and innovation in AI, including through increasing legal certainty, as well as competitiveness and growth of the Union market;

c) Enhance multistakeholder governance, representative of all relevant European stakeholders (e.g. industry, SMEs, civil society, researchers);

d) Contribute to strengthening global cooperation on standardisation in the field of AI that is consistent with Union values and interests.

The Commission shall request the European standardisation organisations to provide evidence of their best efforts to fulfil the above objectives.
Article 40 – paragraph 1c (new)1c. The actors involved in the standardisation process shall take into account the general principles for trustworthy AI set out in Article 4(a), seek to promote investment and innovation in AI as well as competitiveness and growth of the Union market, and contribute to strengthening global cooperation on standardisation and taking into account existing international standards in the field of AI that are consistent with Union values, fundamental rights and interests, and ensure a balanced representation of interests and effective participation of all relevant stakeholders in accordance with Articles 5, 6, and 7 of Regulation (EU) No 1025/2012The actors involved in the standardisation process should adhere to the general principles for trustworthy AI as outlined in Article 4(a). They should aim to foster investment and innovation in AI, as well as enhance the competitiveness and growth of the Union market. They should also contribute to bolstering global cooperation on standardisation, taking into account existing international standards in the field of AI that align with Union values, fundamental rights, and interests. Furthermore, they should ensure a balanced representation of interests and effective participation of all relevant stakeholders in accordance with Articles 5, 6, and 7 of Regulation (EU) No 1025/2012.
Article 40 – paragraph 1c (new)1c. The actors involved in the standardisation process shall take into account the general principles for trustworthy AI set out in Article 4(a), seek to promote investment and innovation in AI as well as competitiveness and growth of the Union market, and contribute to strengthening global cooperation on standardisation and taking into account existing international standards in the field of AI that are consistent with Union values, fundamental rights and interests, and ensure a balanced representation of interests and effective participation of all relevant stakeholders in accordance with Articles 5, 6, and 7 of Regulation (EU) No 1025/2012The actors involved in the AI standardisation process shall adhere to the general principles for trustworthy AI as outlined in Article 4(a). They should aim to foster investment and innovation in AI, while also promoting the competitiveness and growth of the Union market. These actors are also expected to contribute to the strengthening of global cooperation on standardisation, taking into account existing international AI standards that align with Union values, fundamental rights, and interests. Furthermore, a balanced representation of interests and effective participation of all relevant stakeholders should be ensured, in accordance with Articles 5, 6, and 7 of Regulation (EU) No 1025/2012.
Article 41
NumberingCommissionParliamentCouncilText proposed by the AI
Article 41 Article 41
Common specifications		Article 41
Common specifications		Article 41 Common specificationsArticle 41
Common specifications
Article 41 – paragraph 11. Where harmonised standards referred to in Article 40 do not exist or where the Commission considers that the relevant harmonised standards are insufficient or that there is a need to address specific safety or fundamental right concerns, the Commission may, by means of implementing acts, adopt common specifications in respect of the requirements set out in Chapter 2 of this Title. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).deleted1. The Commission is empowered to adopt, after consulting the AI Board referred to in Article 56, implementing acts in accordance with the examination procedure referred to in Article 74(2) establishing common technical specifications for the requirements set out in Chapter 2 of this Title, or, as applicable, with requirements set out in Article 4a and Article 4b, where the following conditions have been fulfilled:

(a) no reference to harmonised standards covering the relevant essential safety or fundamental right concerns is published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012;

(b) the Commission has requested, pursuant to Article 10(1) of Regulation 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the requirements set out in Chapter 2 of this Title;

(c) the request referred to in point (b) has not been accepted by any of the European standardisation organisations or the harmonised standards addressing that request are not delivered within the deadline set in accordance with article 10(1) of Regulation 1025/2012 or those standards do not comply with the request.		1. In the absence of harmonised standards as referred to in Article 40, or when the Commission deems the existing harmonised standards to be insufficient or identifies a need to address specific safety or fundamental right concerns, the Commission is empowered to adopt common specifications. This will be done through implementing acts, in respect of the requirements set out in Chapter 2 of this Title, or, as applicable, with requirements set out in Article 4a and Article 4b. The Commission will adopt these implementing acts after consulting the AI Board referred to in Article 56, and in accordance with the examination procedure referred to in Article 74(2). This will occur under the following conditions:

(a) no reference to harmonised standards covering the relevant essential safety or fundamental right concerns is published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012;

(b) the Commission has requested, pursuant to Article 10(1) of Regulation 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the requirements set out in Chapter 2 of this Title;

(c) the request referred to in point (b) has not been accepted by any of the European standardisation organisations or the harmonised standards addressing that request are not delivered within the deadline set in accordance with article 10(1) of Regulation 1025/2012 or those standards do not comply with the request.
Article 41 – paragraph 1a (new) [C]1a. Before preparing a draft implementing act, the Commission shall inform the committee referred to in Article 22 of Regulation EU (No) 1025/2012 that it considers that the conditions in paragraph 1 are fulfilled.Before preparing a draft implementing act, the Commission shall inform the committee referred to in Article 22 of Regulation EU (No) 1025/2012 that it considers that the conditions in paragraph 1 are fulfilled.
Article 41 – paragraph 1a (new) [P]1a. The Commission may, by means of implementing act adopted in accordance with the examination procedure referred to in Article 74(2) and after consulting the AI Office and the AI Advisory Forum, adopt common specifications in respect of the requirements set out in Chapter 2 of this Title or Article 28b wherein all of the following conditions are fulfilled:

(a) there is no reference to harmonised standards already published in the Official Journal of the European Union related to the essential requirement(s), unless the harmonised standard in question is an existing standard that must be revised;

(b) the Commission has requested one or more European standardisation organisations to draft a harmonised standard for the essential requirement(s) set out in Chapter 2;

(c) the request referred to in point (b) has not been accepted by any of the European standardisation organisations; or there are undue delays in the establishment of an appropriate harmonised standard; or the standard provided does not satisfy the requirements of the relevant Union law, or does not comply with the request of the Commission.
The Commission may, in accordance with the examination procedure referred to in Article 74(2) and after consulting the AI Office and the AI Advisory Forum, adopt common specifications regarding the requirements set out in Chapter 2 of this Title or Article 28b. This can occur under the following conditions:

(a) there is no reference to harmonised standards already published in the Official Journal of the European Union related to the essential requirement(s), unless the harmonised standard in question is an existing standard that must be revised;

(b) the Commission has requested one or more European standardisation organisations to draft a harmonised standard for the essential requirement(s) set out in Chapter 2;

(c) the request referred to in point (b) has not been accepted by any of the European standardisation organisations; or there are undue delays in the establishment of an appropriate harmonised standard; or the standard provided does not satisfy the requirements of the relevant Union law, or does not comply with the request of the Commission.
Article 41 – paragraph 1b (new)1b. Where the Commission considers there to be a need to address specific fundamental rights concerns, common specifications adopted by the Commission in accordance with paragraph 1a shall also address those specific fundamental rights concerns.In cases where the Commission identifies a need to address specific fundamental rights concerns, the common specifications adopted by the Commission, in accordance with the previously mentioned guidelines, shall also address those specific fundamental rights concerns.
Article 41 – paragraph 1c (new)1c. The Commission shall develop common specifications for the methodology to fulfil the reporting and documentation requirement on the consumption of energy and resources during development, training and deployment of the high risk AI system.The Commission is mandated to establish common specifications for the methodology to meet the reporting and documentation requirement on the consumption of energy and resources during the development, training, and deployment of high-risk AI systems.
Article 41 – paragraph 22. The Commission, when preparing the common specifications referred to in paragraph 1, shall gather the views of relevant bodies or expert groups established under relevant sectorial Union law.2. The Commission shall, throughout the whole process of drafting the common specifications referred to in paragraphs 1a and 1b, regularly consult the AI Office and the Advisory Forum, the European standardisation organisations and bodies or expert groups established under relevant sectorial Union law as well as other relevant stakeholders. The Commission shall fulfil the objectives referred to in Article 40 (1c) and duly justify why it decided to resort to common specifications.

Where the Commission intends to adopt common specifications pursuant to paragraph 1a of this Article, it shall also clearly identify the specific fundamental rights concern to be addressed.

When adopting common specifications pursuant to paragraphs 1a and 1b of this Article, the Commission shall take into account the opinion issued by the AI Office referred to in Article 56e(b) of this Regulation. Where the Commission decides not to follow the opinion of the AI Office, it shall provide a reasoned explanation to the AI Office.
2. In the early preparation of the draft implementing act establishing the common specification, the Commission shall fulfil the objectives referred to in Article 40(2) and gather the views of relevant bodies or expert groups established under relevant sectorial Union law. Based on that consultation, the Commission shall prepare the draft implementing act.2. In the process of preparing and drafting the common specifications referred to in paragraph 1, the Commission shall gather the views of relevant bodies or expert groups established under relevant sectorial Union law, regularly consult the AI Office and the Advisory Forum, the European standardisation organisations as well as other relevant stakeholders. The Commission shall fulfil the objectives referred to in Article 40 and provide a reasoned justification for resorting to common specifications.

When the Commission intends to adopt common specifications, it should clearly identify the specific fundamental rights concern to be addressed. In the early preparation of the draft implementing act establishing the common specification, the Commission shall take into account the opinion issued by the AI Office referred to in Article 56e(b) of this Regulation. Where the Commission decides not to follow the opinion of the AI Office, it shall provide a reasoned explanation to the AI Office.

Based on these consultations and considerations, the Commission shall prepare the draft implementing act.
Article 41 – paragraph 33. High-risk AI systems which are in conformity with the common specifications referred to in paragraph 1 shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title, to the extent those common specifications cover those requirements.3. High-risk AI systems which are in conformity with the common specifications referred to in paragraphs 1a and 1b shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title, to the extent those common specifications cover those requirements 3. High-risk AI systems or general purpose AI systems which are in conformity with the common specifications referred to in paragraph 1 shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title or, as applicable, with requirements set out in Article 4a and Article 4b, to the extent those common specifications cover those requirements.3. High-risk AI systems or general purpose AI systems which are in conformity with the common specifications referred to in paragraphs 1, 1a and 1b shall be presumed to be in conformity with the requirements set out in Chapter 2 of this Title or, as applicable, with requirements set out in Article 4a and Article 4b, to the extent those common specifications cover those requirements.
Article 41 – paragraph 3a (new)3a. Where a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for the publication of its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) No 1025/2012. When reference of a harmonised standard is published in the Official Journal of the European Union, the Commission shall repeal acts referred to in paragraph 1 and 1b, or parts thereof which cover the same requirements set out in Chapter 2 of this Title.When a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for the publication of its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) No 1025/2012. Upon the publication of the reference of a harmonised standard in the Official Journal of the European Union, the Commission shall repeal acts referred to in paragraph 1 and 1b, or parts thereof which cover the same requirements set out in Chapter 2 of this Title.
Article 41 – paragraph 44. Where providers do not comply with the common specifications referred to in paragraph 1, they shall duly justify that they have adopted technical solutions that are at least equivalent thereto.4. Where providers of high-risk AI systems do not comply with the common specifications referred to in paragraph 1, they shall duly justify that they have adopted technical solutions that meet the requirements referred to in Chapter II to a level at least equivalent thereto;deleted 4. Where providers of high-risk AI systems do not comply with the common specifications referred to in paragraph 1, they shall duly justify that they have adopted technical solutions that are at least equivalent thereto.
Article 41 – paragraph 4a (new)4. When references of a harmonised standard are published in the Official Journal of the European Union, implementing acts referred to in paragraph 1, which cover the requirements set out in Chapter 2 of this Title or requirements set out in Article 4a and Article 4b, shall be repealed, as applicable.None
Article 41 – paragraph 5 (new)5. When a Member State considers that a common specification does not entirely satisfy the requirements set out in Chapter 2 of this Title or requirements set out in Article 4a and Article 4b, as applicable, it shall inform the Commission thereof with a detailed explanation and the Commission shall assess that information and, if appropriate, amend the implementing act establishing the common specification in question.When a Member State deems that a common specification does not fully meet the requirements outlined in Chapter 2 of this Title or the stipulations in Article 4a and Article 4b, as applicable, it should provide the Commission with a detailed explanation. The Commission is then responsible for evaluating this information and, if deemed necessary, amending the implementing act that established the common specification in question.
Article 42
NumberingCommissionParliamentCouncilText proposed by the AI
Article 42 Article 42
Presumption of conformity with certain requirements		Article 42
Presumption of conformity with certain requirements		Article 42
Presumption of conformity with certain requirements		Article 42
Presumption of conformity with certain requirements
Article 42 – paragraph 11. Taking into account their intended purpose, high-risk AI systems that have been trained and tested on data concerning the specific geographical, behavioural and functional setting within which they are intended to be used shall be presumed to be in compliance with the requirement set out in Article 10(4).1. Taking into account their intended purpose, high-risk AI systems that have been trained and tested on data concerning the specific geographical, behavioural contextual and functional setting within which they are intended to be used shall be presumed to be in compliance with the respective requirements set out in Article 10(4).1. High-risk AI systems that have been trained and tested on data reflecting the specific geographical, behavioural or functional setting within which they are intended to be used shall be presumed to be in compliance with the respective requirements set out in Article 10(4).1. Taking into account their intended purpose, high-risk AI systems that have been trained and tested on data reflecting the specific geographical, behavioural, contextual, or functional setting within which they are intended to be used shall be presumed to be in compliance with the respective requirements set out in Article 10(4).
Article 42 – paragraph 22. High-risk AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council63 and the references of which have been published in the Official Journal of the European Union shall be presumed to be in compliance with the cybersecurity requirements set out in Article 15 of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover those requirements.

_________
63. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 1).		2. High-risk AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council63 and the references of which have been published in the Official Journal of the European Union shall be presumed to be in compliance with the cybersecurity requirements set out in Article 15 of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover those requirements.

_________
63. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 1).		2. High-risk AI systems or general purpose AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council33 and the references of which have been published in the Official Journal of the European Union shall be presumed to be in compliance with the cybersecurity requirements set out in Article 15 of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover those requirements.

_________
33. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 1).		2. High-risk AI systems or general purpose AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council and the references of which have been published in the Official Journal of the European Union shall be presumed to be in compliance with the cybersecurity requirements set out in Article 15 of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover those requirements.

_________
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 1).
Article 43
NumberingCommissionParliamentCouncilText proposed by the AI
Article 43Article 43
Conformity assessment		Article 43
Conformity assessment		Article 43
Conformity assessment		Article 43
Conformity assessment
Article 43 – paragraph 1 – introductory part1. For high-risk AI systems listed in point 1 of Annex III, where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider has applied harmonised standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41, the provider shall follow one of the following procedures:1. For high-risk AI systems listed in point 1 of Annex III, where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider has applied harmonised standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41, the provider shall opt for one of the following procedures;1. For high-risk AI systems listed in point 1 of Annex III, where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider has applied harmonised standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41, the provider shall opt for one of the following procedures:1. For high-risk AI systems listed in point 1 of Annex III, where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider has applied harmonised standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41, the provider shall follow or opt for one of the following procedures:
Article 43 – paragraph 1 – point a(a) the conformity assessment procedure based on internal control referred to in Annex VI;(a) the conformity assessment procedure based on internal control referred to in Annex VI; or(a) the conformity assessment procedure based on internal control referred to in Annex VI; or(a) the conformity assessment procedure based on internal control referred to in Annex VI; or
Article 43 – paragraph 1 – point b(b) the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation, with the involvement of a notified body, referred to in Annex VII.(b) the conformity assessment procedure based on assessment of the quality management system and of the technical documentation, with the involvement of a notified body, referred to in Annex VII;(b) the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation, with the involvement of a notified body, referred to in Annex VII.(b) the conformity assessment procedure based on assessment of the quality management system and of the technical documentation, with the involvement of a notified body, referred to in Annex VII.
Article 43 – paragraph 1 – subparagraph 1Where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider has not applied or has applied only in part harmonised standards referred to in Article 40, or where such harmonised standards do not exist and common specifications referred to in Article 41 are not available, the provider shall follow the conformity assessment procedure set out in Annex VII.In demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider shall follow the conformity assessment procedure set out in Annex VII in the following cases:

(a) where harmonised standards referred to in Article 40, the reference number of which has been published in the Official Journal of the European Union, covering all relevant safety requirements for the AI system, do not exist and common specifications referred to in Article 41 are not available;

(b) where the technical specifications referred to in point (a) exist but the provider has not applied them or has applied them only in part;

(c) where one or more of the technical specifications referred to in point (a) has been published with a restriction and only on the part of the standard that was restricted;

(d) when the provider considers that the nature, design, construction or purpose of the AI system necessitate third party verification, regardless of its risk level.
Where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider has not applied or has applied only in part harmonised standards referred to in Article 40, or where such harmonised standards do not exist and common specifications referred to in Article 41 are not available, the provider shall follow the conformity assessment procedure set out in Annex VII.In demonstrating the compliance of a high-risk AI system with the requirements set out in Chapter 2 of this Title, the provider shall follow the conformity assessment procedure set out in Annex VII in the following cases:

(a) where harmonised standards referred to in Article 40, the reference number of which has been published in the Official Journal of the European Union, covering all relevant safety requirements for the AI system, do not exist and common specifications referred to in Article 41 are not available;

(b) where the technical specifications referred to in point (a) exist but the provider has not applied them or has applied them only in part;

(c) where one or more of the technical specifications referred to in point (a) has been published with a restriction and only on the part of the standard that was restricted;

(d) when the provider considers that the nature, design, construction or purpose of the AI system necessitate third party verification, regardless of its risk level.
Article 43 – paragraph 1 – subparagraph 2For the purpose of the conformity assessment procedure referred to in Annex VII, the provider may choose any of the notified bodies. However, when the system is intended to be put into service by law enforcement, immigration or asylum authorities as well as EU institutions, bodies or agencies, the market surveillance authority referred to in Article 63(5) or (6), as applicable, shall act as a notified body.For the purpose of carrying out the conformity assessment procedure referred to in Annex VII, the provider may choose any of the notified bodies. However, when the system is intended to be put into service by law enforcement, immigration or asylum authorities as well as EU institutions, bodies or agencies, the market surveillance authority referred to in Article 63(5) or (6), as applicable, shall act as a notified body.For the purpose of the conformity assessment procedure referred to in Annex VII, the provider may choose any of the notified bodies. However, when the system is intended to be put into service by law enforcement, immigration or asylum authorities as well as EU institutions, bodies or agencies, the market surveillance authority referred to in Article 63(5) or (6), as applicable, shall act as a notified body.For the purpose of the conformity assessment procedure referred to in Annex VII, the provider may choose any of the notified bodies. However, when the system is intended to be put into service by law enforcement, immigration or asylum authorities as well as EU institutions, bodies or agencies, the market surveillance authority referred to in Article 63(5) or (6), as applicable, shall act as a notified body.
Article 43 – paragraph 22. For high-risk AI systems referred to in points 2 to 8 of Annex III, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body. For high-risk AI systems referred to in point 5(b) of Annex III, placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to101 of that Directive.2. For high-risk AI systems referred to in points 2 to 8 of Annex III, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body. For high-risk AI systems referred to in point 5(b) of Annex III, placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to101 of that Directive.2. For high-risk AI systems referred to in points 2 to 8 of Annex III and for general purpose AI systems referred in Title 1a, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body.2. For high-risk AI systems referred to in points 2 to 8 of Annex III and for general purpose AI systems referred in Title 1a, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body. For high-risk AI systems referred to in point 5(b) of Annex III, placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU, the conformity assessment shall be carried out as part of the procedure referred to in Articles 97 to101 of that Directive.
Article 43 – paragraph 33.For high-risk AI systems, to which legal acts listed in Annex II, section A, apply, the provider shall follow the relevant conformity assessment as required under those legal acts. The requirements set out in Chapter 2 of this Title shall apply to those high-risk AI systems and shall be part of that assessment. Points 4.3., 4.4., 4.5. and the fifth paragraph of point 4.6 of Annex VII shall also apply.

For the purpose of that assessment, notified bodies which have been notified under those legal acts shall be entitled to control the conformity of the high-risk AI systems with the requirements set out in Chapter 2 of this Title, provided that the compliance of those notified bodies with requirements laid down in Article 33(4), (9) and (10) has been assessed in the context of the notification procedure under those legal acts.

Where the legal acts listed in Annex II, section A, enable the manufacturer of the product to opt out from a third-party conformity assessment, provided that that manufacturer has applied all harmonised standards covering all the relevant requirements, that manufacturer may make use of that option only if he has also applied harmonised standards or, where applicable, common specifications referred to in Article 41, covering the requirements set out in Chapter 2 of this Title.		3.For high-risk AI systems, to which legal acts listed in Annex II, section A, apply, the provider shall follow the relevant conformity assessment as required under those legal acts. The requirements set out in Chapter 2 of this Title shall apply to those high-risk AI systems and shall be part of that assessment. Points 4.3., 4.4., 4.5. and the fifth paragraph of point 4.6 of Annex VII shall also apply.

For the purpose of that assessment, notified bodies which have been notified under those legal acts shall be entitled to control the conformity of the high-risk AI systems with the requirements set out in Chapter 2 of this Title, provided that the compliance of those notified bodies with requirements laid down in Article 33(4), (9) and (10) has been assessed in the context of the notification procedure under those legal acts.

Where the legal acts listed in Annex II, section A, enable the manufacturer of the product to opt out from a third-party conformity assessment, provided that that manufacturer has applied all harmonised standards covering all the relevant requirements, that manufacturer may make use of that option only if he has also applied harmonised standards or, where applicable, common specifications referred to in Article 41, covering the requirements set out in Chapter 2 of this Title.		3. For high-risk AI systems, to which legal acts listed in Annex II, section A, apply, the provider shall follow the relevant conformity assessment as required under those legal acts. The requirements set out in Chapter 2 of this Title shall apply to those high-risk AI systems and shall be part of that assessment. Points 4.3., 4.4., 4.5. and the fifth paragraph of point 4.6 of Annex VII shall also apply.

For the purpose of that assessment, notified bodies which have been notified under those legal acts shall be entitled to control the conformity of the high-risk AI systems with the requirements set out in Chapter 2 of this Title, provided that the compliance of those notified bodies with requirements laid down in Article 33(4), (9) and (10) has been assessed in the context of the notification procedure under those legal acts.

Where the legal acts listed in Annex II, section A, enable the manufacturer of the product to opt out from a third-party conformity assessment, provided that that manufacturer has applied all harmonised standards covering all the relevant requirements, that manufacturer may make use of that option only if he has also applied harmonised standards or, where applicable, common specifications referred to in Article 41, covering the requirements set out in Chapter 2 of this Title.		3. For high-risk AI systems, to which legal acts listed in Annex II, section A, apply, the provider shall follow the relevant conformity assessment as required under those legal acts. The requirements set out in Chapter 2 of this Title shall apply to those high-risk AI systems and shall be part of that assessment. Points 4.3., 4.4., 4.5. and the fifth paragraph of point 4.6 of Annex VII shall also apply.

For the purpose of that assessment, notified bodies which have been notified under those legal acts shall be entitled to control the conformity of the high-risk AI systems with the requirements set out in Chapter 2 of this Title, provided that the compliance of those notified bodies with requirements laid down in Article 33(4), (9) and (10) has been assessed in the context of the notification procedure under those legal acts.

Where the legal acts listed in Annex II, section A, enable the manufacturer of the product to opt out from a third-party conformity assessment, provided that that manufacturer has applied all harmonised standards covering all the relevant requirements, that manufacturer may make use of that option only if he has also applied harmonised standards or, where applicable, common specifications referred to in Article 41, covering the requirements set out in Chapter 2 of this Title.
Article 43 – paragraph 44. High-risk AI systems shall undergo a new conformity assessment procedure whenever they are substantially modified, regardless of whether the modified system is intended to be further distributed or continues to be used by the current user.

For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification.		4. High-risk AI systems that have already been subject to a conformity assessment procedure shall undergo a new conformity assessment procedure whenever they are substantially modified, regardless of whether the modified system is intended to be further distributed or continues to be used by the current deployer;

For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification.		deleted4. High-risk AI systems that have already been subject to a conformity assessment procedure shall undergo a new conformity assessment procedure whenever they are substantially modified, regardless of whether the modified system is intended to be further distributed or continues to be used by the current user or deployer;

For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification.
Article 43 – paragraph 4a (new)4a. The specific interests and needs of SMEs shall be taken into account when setting the fees for third-party conformity assessment under this Article, reducing those fees proportionately to their size and market share;The specific interests and needs of SMEs shall be considered in the determination of fees for third-party conformity assessment under this Article, with a proportional reduction in these fees relative to their size and market share.
Article 43 – paragraph 55. The Commission is empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating Annexes VI and Annex VII in order to introduce elements of the conformity assessment procedures that become necessary in light of technical progress.5. The Commission is empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating Annexes VI and Annex VII in order to introduce elements of the conformity assessment procedures that become necessary in light of technical progress. When preparing such delegated acts, the Commission shall consult the AI Office and the stakeholders affected;5. The Commission is empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating Annexes VI and Annex VII in light of technical progress.5. The Commission is empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating Annexes VI and Annex VII in order to introduce elements of the conformity assessment procedures that become necessary in light of technical progress. In the process of preparing such delegated acts, the Commission shall consult the AI Office and the stakeholders affected.
Article 43 – paragraph 66. The Commission is empowered to adopt delegated acts to amend paragraphs 1 and 2 in order to subject high-risk AI systems referred to in points 2 to 8 of Annex III to the conformity assessment procedure referred to in Annex VII or parts thereof. The Commission shall adopt such delegated acts taking into account the effectiveness of the conformity assessment procedure based on internal control referred to in Annex VI in preventing or minimizing the risks to health and safety and protection of fundamental rights posed by such systems as well as the availability of adequate capacities and resources among notified bodies.6. The Commission is empowered to adopt delegated acts to amend paragraphs 1 and 2 in order to subject high-risk AI systems referred to in points 2 to 8 of Annex III to the conformity assessment procedure referred to in Annex VII or parts thereof. The Commission shall adopt such delegated acts taking into account the effectiveness of the conformity assessment procedure based on internal control referred to in Annex VI in preventing or minimizing the risks to health and safety and protection of fundamental rights posed by such systems as well as the availability of adequate capacities and resources among notified bodies. When preparing such delegated acts, the Commission shall consult the AI Office and the stakeholders affected;6. The Commission is empowered to adopt delegated acts to amend paragraphs 1 and 2 in order to subject high-risk AI systems referred to in points 2 to 8 of Annex III to the conformity assessment procedure referred to in Annex VII or parts thereof. The Commission shall adopt such delegated acts taking into account the effectiveness of the conformity assessment procedure based on internal control referred to in Annex VI in preventing or minimizing the risks to health and safety and protection of fundamental rights posed by such systems as well as the availability of adequate capacities and resources among notified bodies.6. The Commission is empowered to adopt delegated acts to amend paragraphs 1 and 2 in order to subject high-risk AI systems referred to in points 2 to 8 of Annex III to the conformity assessment procedure referred to in Annex VII or parts thereof. The Commission shall adopt such delegated acts taking into account the effectiveness of the conformity assessment procedure based on internal control referred to in Annex VI in preventing or minimizing the risks to health and safety and protection of fundamental rights posed by such systems as well as the availability of adequate capacities and resources among notified bodies. In the process of preparing such delegated acts, the Commission shall consult the AI Office and the stakeholders affected.
Article 44
NumberingCommissionParliamentCouncilText proposed by the AI
Article 44Article 44
Certificates		Article 44
Certificates		Article 44
Certificates		Article 44
Certificates
Article 44 – paragraph 11. Certificates issued by notified bodies in accordance with Annex VII shall be drawn-up in an official Union language determined by the Member State in which the notified body is established or in an official Union language otherwise acceptable to the notified body.1. Certificates issued by notified bodies in accordance with Annex VII shall be drawn-up in one or several official Union languages determined by the Member State in which the notified body is established or in one or several official Union languages otherwise acceptable to the notified body;1. Certificates issued by notified bodies in accordance with Annex VII shall be drawn-up in a language which can be easily undestood by the relevant authorities in the Member State in which the notified body is established.1. Certificates issued by notified bodies in accordance with Annex VII shall be drawn-up in one or several official Union languages determined by the Member State in which the notified body is established, or in a language which can be easily understood by the relevant authorities in the Member State, or in one or several official Union languages otherwise acceptable to the notified body.
Article 44 – paragraph 22. Certificates shall be valid for the period they indicate, which shall not exceed five years. On application by the provider, the validity of a certificate may be extended for further periods, each not exceeding five years, based on a re-assessment in accordance with the applicable conformity assessment procedures.2. Certificates shall be valid for the period they indicate, which shall not exceed four years. On application by the provider, the validity of a certificate may be extended for further periods, each not exceeding four years, based on a re-assessment in accordance with the applicable conformity assessment procedures;2. Certificates shall be valid for the period they indicate, which shall not exceed five years. On application by the provider, the validity of a certificate may be extended for further periods, each not exceeding five years, based on a re-assessment in accordance with the applicable conformity assessment procedures. Any supplement to a certificate shall remain valid as long as the certificate which it supplements is valid.2. Certificates shall be valid for the period they indicate, which shall not exceed four years. On application by the provider, the validity of a certificate may be extended for further periods, each not exceeding four years, based on a re-assessment in accordance with the applicable conformity assessment procedures. Any supplement to a certificate shall remain valid as long as the certificate which it supplements is valid.
Article 44 – paragraph 33. Where a notified body finds that an AI system no longer meets the requirements set out in Chapter 2 of this Title, it shall, taking account of the principle of proportionality, suspend or withdraw the certificate issued or impose any restrictions on it, unless compliance with those requirements is ensured by appropriate corrective action taken by the provider of the system within an appropriate deadline set by the notified body. The notified body shall give reasons for its decision.3. Where a notified body finds that an AI system no longer meets the requirements set out in Chapter 2 of this Title, it shall suspend or withdraw the certificate issued or impose any restrictions on it, unless compliance with those requirements is ensured by appropriate corrective action taken by the provider of the system within an appropriate deadline set by the notified body. The notified body shall give reasons for its decision.3. Where a notified body finds that an AI system no longer meets the requirements set out in Chapter 2 of this Title, it shall, taking account of the principle of proportionality, suspend or withdraw the certificate issued or impose any restrictions on it, unless compliance with those requirements is ensured by appropriate corrective action taken by the provider of the system within an appropriate deadline set by the notified body. The notified body shall give reasons for its decision.3. Where a notified body finds that an AI system no longer meets the requirements set out in Chapter 2 of this Title, it shall, taking account of the principle of proportionality, suspend or withdraw the certificate issued or impose any restrictions on it, unless compliance with those requirements is ensured by appropriate corrective action taken by the provider of the system within an appropriate deadline set by the notified body. The notified body shall give reasons for its decision.
Article 45
NumberingCommissionParliamentCouncilText proposed by the AI
Article 45 Article 45
Appeal against decisions of notified bodies		Article 45
Appeal against decisions of notified bodies		Article 45
Appeal against decisions of notified bodies		Article 45
Appeal against decisions of notified bodies
Article 45 – paragraph 1Member States shall ensure that an appeal procedure against decisions of the notified bodies is available to parties having a legitimate interest in that decision.Member States shall ensure that an appeal procedure against decisions of the notified bodies, including on issued conformity certificates is available to parties having a legitimate interest in that decision.An appeal procedure against decisions of the notified bodies shall be available.Member States shall ensure that an appeal procedure against decisions of the notified bodies, including on issued conformity certificates, is available to parties having a legitimate interest in that decision.
Article 46
NumberingCommissionParliamentCouncilText proposed by the AI
Article 46 Article 46
Information obligations of notified bodies		Article 46
Information obligations of notified bodies		Article 46
Information obligations of notified bodies		Article 46
Information obligations of notified bodies
Article 46 – paragraph 11. Notified bodies shall inform the notifying authority of the following:

(a) any Union technical documentation assessment certificates, any supplements to those certificates, quality management system approvals issued in accordance with the requirements of Annex VII;

(b) any refusal, restriction, suspension or withdrawal of a Union technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII;

(c) any circumstances affecting the scope of or conditions for notification;

(d) any request for information which they have received from market surveillance authorities regarding conformity assessment activities;

(e) on request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting.		1. Notified bodies shall inform the notifying authority of the following:

(a) any Union technical documentation assessment certificates, any supplements to those certificates, quality management system approvals issued in accordance with the requirements of Annex VII;

(b) any refusal, restriction, suspension or withdrawal of a Union technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII;

(c) any circumstances affecting the scope of or conditions for notification;

(d) any request for information which they have received from market surveillance authorities regarding conformity assessment activities;

(e) on request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting.		1. Notified bodies shall inform the notifying authority of the following:

(a) any Union technical documentation assessment certificates, any supplements to those certificates, quality management system approvals issued in accordance with the requirements of Annex VII;

(b) any refusal, restriction, suspension or withdrawal of a Union technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII;

(c) any circumstances affecting the scope of or conditions for notification;

(d) any request for information which they have received from market surveillance authorities regarding conformity assessment activities;

(e) on request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting.		1. Notified bodies shall inform the notifying authority of the following:

(a) any Union technical documentation assessment certificates, any supplements to those certificates, quality management system approvals issued in accordance with the requirements of Annex VII;

(b) any refusal, restriction, suspension or withdrawal of a Union technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII;

(c) any circumstances affecting the scope of or conditions for notification;

(d) any request for information which they have received from market surveillance authorities regarding conformity assessment activities;

(e) on request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting.
Article 46 – paragraph 22. Each notified body shall inform the other notified bodies of:

(a) quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued;

(b) EU technical documentation assessment certificates or any supplements thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, of the certificates and/or supplements thereto which it has issued.		2. Each notified body shall inform the other notified bodies of:

(a) quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued;

(b) EU technical documentation assessment certificates or any supplements thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, of the certificates and/or supplements thereto which it has issued.		2. Each notified body shall inform the other notified bodies of:

(a) quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued;

(b) EU technical documentation assessment certificates or any supplements thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, of the certificates and/or supplements thereto which it has issued.		2. Each notified body shall inform the other notified bodies of:

(a) quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued;

(b) EU technical documentation assessment certificates or any supplements thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, of the certificates and/or supplements thereto which it has issued.
Article 46 – paragraph 33. Each notified body shall provide the other notified bodies carrying out similar conformity assessment activities covering the same artificial intelligence technologies with relevant information on issues relating to negative and, on request, positive conformity assessment results.3. Each notified body shall provide the other notified bodies carrying out similar conformity assessment activities with relevant information on issues relating to negative and, on request, positive conformity assessment results.3. Each notified body shall provide the other notified bodies carrying out similar conformity assessment activities covering the same AI systems with relevant information on issues relating to negative and, on request, positive conformity assessment results.3. Each notified body shall provide the other notified bodies carrying out similar conformity assessment activities covering the same artificial intelligence technologies and AI systems with relevant information on issues relating to negative and, on request, positive conformity assessment results.
Article 46 – paragraph 4 (new)4. The obligations referred to in paragraphs 1 to 3 shall be complied with in accordance with Article 70.The obligations outlined in paragraphs 1 to 3 must be adhered to in line with Article 70.
Article 47
NumberingCommissionParliamentCouncilText proposed by the AI
Article 47. Article 47
Derogation from conformity assessment procedure		Article 47
Derogation from conformity assessment procedure		Article 47
Derogation from conformity assessment procedure		Article 47
Derogation from conformity assessment procedure
Article 47 – paragraph 11. By way of derogation from Article 43, any market surveillance authority may authorise the placing on the market or putting into service of specific high-risk AI systems within the territory of the Member State concerned, for exceptional reasons of public security or the protection of life and health of persons, environmental protection and the protection of key industrial and infrastructural assets. That authorisation shall be for a limited period of time, while the necessary conformity assessment procedures are being carried out, and shall terminate once those procedures have been completed. The completion of those procedures shall be undertaken without undue delay.1. By way of derogation from Article 43, any national supervisory authority may request a judicial authority to authorise the placing on the market or putting into service of specific high-risk AI systems within the territory of the Member State concerned, for exceptional reasons of the protection of life and health of persons, environmental protection and the protection of critical infrastructure. That authorisation shall be for a limited period of time, while the necessary conformity assessment procedures are being carried out, and shall terminate once those procedures have been completed. The completion of those procedures shall be undertaken without undue delay;1. By way of derogation from Article 43 and upon a duly justified request, any market surveillance authority may authorise the placing on the market or putting into service of specific high-risk AI systems within the territory of the Member State concerned, for exceptional reasons of public security or the protection of life and health of persons, environmental protection and the protection of key industrial and infrastructural assets. That authorisation shall be for a limited period of time while the necessary conformity assessment procedures are being carried out, taking into account the exceptional reasons justifying the derogation. The completion of those procedures shall be undertaken without undue delay.1. By way of derogation from Article 43, any national supervisory authority or market surveillance authority may, upon a duly justified request, authorise or request a judicial authority to authorise the placing on the market or putting into service of specific high-risk AI systems within the territory of the Member State concerned, for exceptional reasons of public security, the protection of life and health of persons, environmental protection and the protection of key industrial, infrastructural assets and critical infrastructure. That authorisation shall be for a limited period of time, while the necessary conformity assessment procedures are being carried out, taking into account the exceptional reasons justifying the derogation, and shall terminate once those procedures have been completed. The completion of those procedures shall be undertaken without undue delay.
Article 47 – paragraph 1a (new)1a. In a duly justified situation of urgency for exceptional reasons of public security or in case of specific, substantial and imminent threat to the life or physical safety of natural persons, law enforcement authorities or civil protection authorities may put a specific high-risk AI system into service without the authorisation referred to in paragraph 1 provided that such authorisation is requested during or after the use without undue delay, and if such authorisation is rejected, its use shall be stopped with immediate effect and all the results and outputs of this use shall be immediately discarded.In exceptional circumstances of urgency, justified by public security reasons or a specific, substantial and imminent threat to the life or physical safety of individuals, law enforcement or civil protection authorities may deploy a high-risk AI system without the authorisation referred to in paragraph 1. However, such authorisation must be requested without undue delay during or after the use of the system. If the authorisation is subsequently denied, the use of the AI system must be immediately discontinued and all results and outputs from its use must be discarded without delay.
Article 47 – paragraph 22. The authorisation referred to in paragraph 1 shall be issued only if the market surveillance authority concludes that the high-risk AI system complies with the requirements of Chapter 2 of this Title. The market surveillance authority shall inform the Commission and the other Member States of any authorisation issued pursuant to paragraph 1.2. The authorisation referred to in paragraph 1 shall be issued only if the national supervisory authority and judicial authority conclude that the high-risk AI system complies with the requirements of Chapter 2 of this Title. The national supervisory authority shall inform the Commission, the AI office, and the other Member States of any request made and any subsequent authorisation issued pursuant to paragraph 1;2. The authorisation referred to in paragraph 1 shall be issued only if the market surveillance authority concludes that the high-risk AI system complies with the requirements of Chapter 2 of this Title. The market surveillance authority shall inform the Commission and the other Member States of any authorisation issued pursuant to paragraph 1. This obligation shall not cover sensitive operational data in relation to the activities of law enforcement authorities.2. The authorisation referred to in paragraph 1 shall be issued only if the national supervisory authority, judicial authority, and market surveillance authority conclude that the high-risk AI system complies with the requirements of Chapter 2 of this Title. The national supervisory authority and market surveillance authority shall inform the Commission, the AI office, and the other Member States of any request made and any subsequent authorisation issued pursuant to paragraph 1. This obligation shall not cover sensitive operational data in relation to the activities of law enforcement authorities.
Article 47 – paragraph 33. Where, within 15 calendar days of receipt of the information referred to in paragraph 2, no objection has been raised by either a Member State or the Commission in respect of an authorisation issued by a market surveillance authority of a Member State in accordance with paragraph 1, that authorisation shall be deemed justified.3. Where, within 15 calendar days of receipt of the information referred to in paragraph 2, no objection has been raised by either a Member State or the Commission in respect to the request of the national supervisory authority for an authorisation issued by a national supervisory authority of a Member State in accordance with paragraph 1, that authorisation shall be deemed justified;deleted3. Where, within 15 calendar days of receipt of the information referred to in paragraph 2, no objection has been raised by either a Member State or the Commission in respect of an authorisation issued by a national supervisory authority of a Member State in accordance with paragraph 1, that authorisation shall be deemed justified.
Article 47 – paragraph 44. Where, within 15 calendar days of receipt of the notification referred to in paragraph 2, objections are raised by a Member State against an authorisation issued by a market surveillance authority of another Member State, or where the Commission considers the authorisation to be contrary to Union law or the conclusion of the Member States regarding the compliance of the system as referred to in paragraph 2 to be unfounded, the Commission shall without delay enter into consultation with the relevant Member State; the operator(s) concerned shall be consulted and have the possibility to present their views. In view thereof, the Commission shall decide whether the authorisation is justified or not. The Commission shall address its decision to the Member State concerned and the relevant operator or operators.4. Where, within 15 calendar days of receipt of the notification referred to in paragraph 2, objections are raised by a Member State against a request issued by a national supervisory authority of another Member State, or where the Commission considers the authorisation to be contrary to Union law or the conclusion of the Member States regarding the compliance of the system as referred to in paragraph 2 to be unfounded, the Commission shall without delay enter into consultation with the relevant Member State and the AI Office; the operator(s) concerned shall be consulted and have the possibility to present their views. In view thereof, the Commission shall decide whether the authorisation is justified or not. The Commission shall address its decision to the Member State concerned and the relevant operator(s);deleted4. Where, within 15 calendar days of receipt of the notification referred to in paragraph 2, objections are raised by a Member State against an authorisation issued by a market surveillance authority or a request issued by a national supervisory authority of another Member State, or where the Commission considers the authorisation to be contrary to Union law or the conclusion of the Member States regarding the compliance of the system as referred to in paragraph 2 to be unfounded, the Commission shall without delay enter into consultation with the relevant Member State; the operator(s) concerned shall be consulted and have the possibility to present their views. In view thereof, the Commission shall decide whether the authorisation is justified or not. The Commission shall address its decision to the Member State concerned and the relevant operator or operators.
Article 47 – paragraph 55. If the authorisation is considered unjustified, this shall be withdrawn by the market surveillance authority of the Member State concerned.5. If the authorisation is considered unjustified, this shall be withdrawn by the national supervisory authority of the Member State concerned;deleted5. If the authorisation is considered unjustified, this shall be withdrawn by the relevant authority of the Member State concerned.
Article 47 – paragraph 66. By way of derogation from paragraphs 1 to 5, for high-risk AI systems intended to be used as safety components of devices, or which are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746, Article 59 of Regulation (EU) 2017/745 and Article 54 of Regulation (EU) 2017/746 shall apply also with regard to the derogation from the conformity assessment of the compliance with the requirements set out in Chapter 2 of this Title.6. By way of derogation from paragraphs 1 to 5, for high-risk AI systems intended to be used as safety components of devices, or which are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746, Article 59 of Regulation (EU) 2017/745 and Article 54 of Regulation (EU) 2017/746 shall apply also with regard to the derogation from the conformity assessment of the compliance with the requirements set out in Chapter 2 of this Title.6. For high-risk AI systems related to products covered by Union harmonisation legislation referred to in Annex II Section A, only the conformity assessment derogation procedures established in that legislation shall apply.6. By way of derogation from paragraphs 1 to 5, for high-risk AI systems intended to be used as safety components of devices, or which are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746, and related to products covered by Union harmonisation legislation referred to in Annex II Section A, Article 59 of Regulation (EU) 2017/745 and Article 54 of Regulation (EU) 2017/746 shall apply also with regard to the derogation from the conformity assessment of the compliance with the requirements set out in Chapter 2 of this Title, and only the conformity assessment derogation procedures established in that legislation shall apply.
Article 48
NumberingCommissionParliamentCouncilText proposed by the AI
Article 48Article 48
EU declaration of conformity		Article 48
EU declaration of conformity		Article 48
EU declaration of conformity		Article 48
EU declaration of conformity
Article 48 – paragraph 11. The provider shall draw up a written EU declaration of conformity for each AI system and keep it at the disposal of the national competent authorities for 10 years after the AI system has been placed on the market or put into service. The EU declaration of conformity shall identify the AI system for which it has been drawn up. A copy of the EU declaration of conformity shall be given to the relevant national competent authorities upon request.1. The provider shall draw up a written machine readable, physical or electronic EU declaration of conformity for each high-risk AI system and keep it at the disposal of the national supervisory authority and the national competent authorities for 10 years after the AI high-risk system has been placed on the market or put into service. A copy of the EU declaration of conformity shall be submitted to the national supervisory authority and the relevant national competent authorities upon request;1. The provider shall draw up a written or electronically signed EU declaration of conformity for each AI system and keep it at the disposal of the national competent authorities for 10 years after the AI system has been placed on the market or put into service. The EU declaration of conformity shall identify the AI system for which it has been drawn up. A copy of the EU declaration of conformity shall be submitted to the relevant national competent authorities upon request.The provider shall draw up a written, machine readable, physical or electronic, or electronically signed EU declaration of conformity for each high-risk AI system and keep it at the disposal of the national supervisory authority and the national competent authorities for 10 years after the AI high-risk system has been placed on the market or put into service. The EU declaration of conformity shall identify the AI system for which it has been drawn up. A copy of the EU declaration of conformity shall be submitted to the national supervisory authority and the relevant national competent authorities upon request.
Article 48 – paragraph 22. The EU declaration of conformity shall state that the high-risk AI system in question meets the requirements set out in Chapter 2 of this Title. The EU declaration of conformity shall contain the information set out in Annex V and shall be translated into an official Union language or languages required by the Member State(s) in which the high-risk AI system is made available.2. The EU declaration of conformity shall state that the high-risk AI system in question meets the requirements set out in Chapter 2 of this Title. The EU declaration of conformity shall contain the information set out in Annex V and shall be translated into an official Union language or languages required by the Member State(s) in which the high-risk AI system is placed on the market or made available;2. The EU declaration of conformity shall state that the high-risk AI system in question meets the requirements set out in Chapter 2 of this Title. The EU declaration of conformity shall contain the information set out in Annex V and shall be translated into a language that can be easily understood by the national competent authorities of the Member State(s) in which the high-risk AI system is made available.2. The EU declaration of conformity shall state that the high-risk AI system in question meets the requirements set out in Chapter 2 of this Title. The EU declaration of conformity shall contain the information set out in Annex V and shall be translated into an official Union language or languages required by the Member State(s) in which the high-risk AI system is placed on the market or made available, and in a language that can be easily understood by the national competent authorities.
Article 48 – paragraph 33. Where high-risk AI systems are subject to other Union harmonisation legislation which also requires an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all Union legislations applicable to the high-risk AI system. The declaration shall contain all the information required for identification of the Union harmonisation legislation to which the declaration relates.3. Where high-risk AI systems are subject to other Union harmonisation legislation which also requires an EU declaration of conformity, a single EU declaration of conformity may be drawn up in respect of all Union legislations applicable to the high-risk AI system. The declaration shall contain all the information required for identification of the Union harmonisation legislation to which the declaration relates.3. Where high-risk AI systems are subject to other Union harmonisation legislation which also requires an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all Union legislations applicable to the high-risk AI system. The declaration shall contain all the information required for identification of the Union harmonisation legislation to which the declaration relates.3. Where high-risk AI systems are subject to other Union harmonisation legislation which also requires an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all Union legislations applicable to the high-risk AI system. The declaration shall contain all the information required for identification of the Union harmonisation legislation to which the declaration relates.
Article 48 – paragraph 44. By drawing up the EU declaration of conformity, the provider shall assume responsibility for compliance with the requirements set out in Chapter 2 of this Title. The provider shall keep the EU declaration of conformity up-to-date as appropriate.4. By drawing up the EU declaration of conformity, the provider shall assume responsibility for compliance with the requirements set out in Chapter 2 of this Title. The provider shall keep the EU declaration of conformity up-to-date as appropriate.4. By drawing up the EU declaration of conformity, the provider shall assume responsibility for compliance with the requirements set out in Chapter 2 of this Title. The provider shall keep the EU declaration of conformity up-to-date as appropriate.4. By drawing up the EU declaration of conformity, the provider shall assume responsibility for compliance with the requirements set out in Chapter 2 of this Title. The provider shall keep the EU declaration of conformity up-to-date as appropriate.
Article 48 – paragraph 55. The Commission shall be empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating the content of the EU declaration of conformity set out in Annex V in order to introduce elements that become necessary in light of technical progress.5. After consulting the AI Office, the Commission shall be empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating the content of the EU declaration of conformity set out in Annex V in order to introduce elements that become necessary in light of technical progress;5. The Commission shall be empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating the content of the EU declaration of conformity set out in Annex V in order to introduce elements that become necessary in light of technical progress.5. After consulting the AI Office, the Commission shall be empowered to adopt delegated acts in accordance with Article 73 for the purpose of updating the content of the EU declaration of conformity set out in Annex V in order to introduce elements that become necessary in light of technical progress.
Article 49
NumberingCommissionParliamentCouncilText proposed by the AI
Article 49Article 49
CE marking of conformity		Article 49
CE marking of conformity		Article 49
CE marking of conformity		Article 49
CE marking of conformity
Article 49 – paragraph 11. The CE marking shall be affixed visibly, legibly and indelibly for high-risk AI systems. Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate.1. The physical CE marking shall be affixed visibly, legibly and indelibly for high-risk AI systems before the high-risk AI system is placed on the market Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate. It may be followed by a pictogram or any other marking indicating a special risk of use;1. The CE marking of conformity shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.1. The physical CE marking of conformity, subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008, shall be affixed visibly, legibly and indelibly for high-risk AI systems before the high-risk AI system is placed on the market. Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate. It may be followed by a pictogram or any other marking indicating a special risk of use.
Article 49 – paragraph 1a (new)1a. For digital only high-risk AI systems, a digital CE marking shall be used, only if it can be easily accessed via the interface from which the AI system is accessed or via an easily accessible machine-readable code or other electronic means.For high-risk AI systems that are digital only, a digital CE marking shall be implemented. This marking should be easily accessible either through the interface from which the AI system is accessed or via a machine-readable code or other electronic means that are easily accessible.
Article 49 – paragraph 22. The CE marking referred to in paragraph 1 of this Article shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.2. The CE marking referred to in paragraph 1 of this Article shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008.2. The CE marking shall be affixed visibly, legibly and indelibly for high-risk AI systems. Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate.2. The CE marking referred to in paragraph 1 of this Article shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008. The CE marking shall be affixed visibly, legibly and indelibly for high-risk AI systems. Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate.
Article 49 – paragraph 33. Where applicable, the CE marking shall be followed by the identification number of the notified body responsible for the conformity assessment procedures set out in Article 43. The identification number shall also be indicated in any promotional material which mentions that the high-risk AI system fulfils the requirements for CE marking.3. Where applicable, the CE marking shall be followed by the identification number of the notified body responsible for the conformity assessment procedures set out in Article 43. The identification number of the notified body shall be affixed by the body itself or, under its instructions, by the provider’s authorised representative. The identification number shall also be indicated in any promotional material which mentions that the high-risk AI system fulfils the requirements for CE marking;3. Where applicable, the CE marking shall be followed by the identification number of the notified body responsible for the conformity assessment procedures set out in Article 43. The identification number shall also be indicated in any promotional material which mentions that the high-risk AI system fulfils the requirements for CE marking.3. Where applicable, the CE marking shall be followed by the identification number of the notified body responsible for the conformity assessment procedures set out in Article 43. The identification number of the notified body shall be affixed by the body itself or, under its instructions, by the provider’s authorised representative. The identification number shall also be indicated in any promotional material which mentions that the high-risk AI system fulfils the requirements for CE marking.
Article 49 – paragraph 3a (new)3a. Where high-risk AI systems are subject to other Union law which also provides for the affixing of the CE marking, the CE marking shall indicate that the high-risk AI system also fulfil the requirements of that other law.The CE marking on high-risk AI systems shall indicate compliance not only with the requirements specific to these systems, but also with any other applicable Union law.
Article 50
NumberingCommissionParliamentCouncilText proposed by the AI
Article 50 Article 50
Document retention		Article 50
Document retention		deletedNone
Article 50 The provider shall, for a period ending 10 years after the AI system has been placed on the market or put into service, keep at the disposal of the national competent authorities:

(a) the technical documentation referred to in Article 11;

(b) the documentation concerning the quality management system referred to Article 17;

(c) the documentation concerning the changes approved by notified bodies where applicable;

(d) the decisions and other documents issued by the notified bodies where applicable;

(e) the EU declaration of conformity referred to in Article 48.		The provider shall, for a period ending 10 years, after the AI system has been placed on the market or put into service keep at the disposal of the national supervisory authority and the national competent authorities:

(a) the technical documentation referred to in Article 11;

(b) the documentation concerning the quality management system referred to Article 17;

(c) the documentation concerning the changes approved by notified bodies where applicable;

(d) the decisions and other documents issued by the notified bodies where applicable;

(e) the EU declaration of conformity referred to in Article 48.		deletedThe provider shall, for a period ending 10 years after the AI system has been placed on the market or put into service, keep at the disposal of the national competent authorities:

(a) the technical documentation referred to in Article 11;

(b) the documentation concerning the quality management system referred to Article 17;

(c) the documentation concerning the changes approved by notified bodies where applicable;

(d) the decisions and other documents issued by the notified bodies where applicable;

(e) the EU declaration of conformity referred to in Article 48.
Article 51
NumberingCommissionParliamentCouncilText proposed by the AI
Article 51 Article 51
Registration		Article 51
Registration		Article 51
Registration of relevant operators and of high-risk AI systems listed in Annex III		Article 51
Registration of relevant operators and high-risk AI systems
Article 51 – paragraph 1Before placing on the market or putting into service a high-risk AI system referred to in Article 6(2), the provider or, where applicable, the authorised representative shall register that system in the EU database referred to in Article 60.1. Before placing on the market or putting into service a high-risk AI system referred to in Article 6(2) the provider or, where applicable, the authorised representative shall register that system in the EU database referred to in Article 60, in accordance with Article 60(2);1. Before placing on the market or putting into service a high-risk AI system listed in Annex III with the exception of high-risk AI systems referred to in Annex III, points 1, 6 and 7 in the areas of law enforcement, migration, asylum and border control management, and high risk AI systems referred to in Annex III point 2, the provider and where applicable, the authorised representative shall register themselves in the EU database referred to in Article 60. The provider or, where applicable the authorised representative, shall also register their systems in that database.Before placing on the market or putting into service a high-risk AI system referred to in Article 6(2) and listed in Annex III, with the exception of high-risk AI systems referred to in Annex III, points 1, 6 and 7 in the areas of law enforcement, migration, asylum and border control management, and high risk AI systems referred to in Annex III point 2, the provider or, where applicable, the authorised representative shall register themselves and their systems in the EU database referred to in Article 60, in accordance with Article 60(2).
Article 51 – paragraph 1a [P] / paragraph 2 [C] (new)1a. Before putting into service or using a high-risk AI system in accordance with Article 6(2), the following categories of deployers shall register the use of that AI system in the EU database referred to in Article 60:
a) deployers who are public authorities or Union institutions, bodies, offices or agencies or deployers acting on their behalf;
b) deployers who are undertakings designated as a gatekeeper under Regulation (EU) 2022/1925.
2. Before using a high-risk AI system listed in Annex III, users of high-risk AI systems that are public authorities, agencies or bodies, or entities acting on their behalf, shall register themselves in the EU database referred to in Article 60 and select the system that they envisage to use.

The obligations laid down in the previous subparagraph shall not apply to law enforcement, border control, immigration or asylum authorities, agencies or bodies and authorities, agencies or bodies using high-risk AI systems referred to Annex III point 2, as well as to entities acting on their behalf.		Before putting into service or using a high-risk AI system in accordance with Article 6(2) and listed in Annex III, the following categories of deployers and users shall register the use of that AI system in the EU database referred to in Article 60:

a) Deployers and users who are public authorities, Union institutions, bodies, offices or agencies, or entities acting on their behalf;
b) Deployers who are undertakings designated as a gatekeeper under Regulation (EU) 2022/1925.

The obligations laid down in the previous subparagraph shall not apply to law enforcement, border control, immigration or asylum authorities, agencies or bodies and authorities, agencies or bodies using high-risk AI systems referred to Annex III point 2, as well as to entities acting on their behalf.
Article 51 – paragraph 1b (new)1b. Deployers who do not fall under subparagraph 1a. shall be entitled to voluntarily register the use of a high-risk AI system referred to in Article 6(2) in the EU database referred to in Article 60.All deployers, including those who do not fall under subparagraph 1a, shall have the option to voluntarily register the use of a high-risk AI system as mentioned in Article 6(2) in the EU database referred to in Article 60.
Article 51 – paragraph 1c (new)1c. An updated registration entry must be completed immediately following each substantial modification.An updated registration entry must be completed immediately following each substantial modification.

TITLE IV: Transparency Obligations for Certain AI Systems

Article 52
NumberingCommissionParliamentCouncilText proposed by the AI
Article 52Article 52
Transparency obligations for certain AI systems		Article 52
Transparency obligations 		Article 52
Transparency obligations for providers and users of certain AI systems		Article 52
Transparency obligations for providers and users of certain AI systems
Article 52 – paragraph 11. Providers shall ensure that AI systems intended to interact with natural persons are designed and developed in such a way that natural persons are informed that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate and prosecute criminal offences, unless those systems are available for the public to report a criminal offence.1. Providers shall ensure that AI systems intended to interact with natural persons are designed and developed in such a way that the AI system, the provider itself or the user informs the natural person exposed to an AI system that they are interacting with an AI system in a timely, clear and intelligible manner, unless this is obvious from the circumstances and the context of use.

Where appropriate and relevant, this information shall also include which functions are AI enabled, if there is human oversight, and who is responsible for the decision-making process, as well as the existing rights and processes that, according to Union and national law, allow natural persons or their representatives to object against the application of such systems to them and to seek judicial redress against decisions taken by or harm caused by AI systems, including their right to seek an explanation. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate and prosecute criminal offences, unless those systems are available for the public to report a criminal offence.
1. Providers shall ensure that AI systems intended to interact with natural persons are designed and developed in such a way that natural persons are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect, taking into account the circumstances and the context of use. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate and prosecute criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, unless those systems are available for the public to report a criminal offence.1. Providers shall ensure that AI systems intended to interact with natural persons are designed and developed in such a way that the AI system, the provider itself or the user informs the natural person exposed to an AI system that they are interacting with an AI system in a timely, clear and intelligible manner, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect, taking into account the circumstances and the context of use.

Where appropriate and relevant, this information shall also include which functions are AI enabled, if there is human oversight, and who is responsible for the decision-making process, as well as the existing rights and processes that, according to Union and national law, allow natural persons or their representatives to object against the application of such systems to them and to seek judicial redress against decisions taken by or harm caused by AI systems, including their right to seek an explanation.

This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate and prosecute criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, unless those systems are available for the public to report a criminal offence.
Article 52 – paragraph 22. Users of an emotion recognition system or a biometric categorisation system shall inform of the operation of the system the natural persons exposed thereto. This obligation shall not apply to AI systems used for biometric categorisation, which are permitted by law to detect, prevent and investigate criminal offences.2. Users of an emotion recognition system or a biometric categorisation system which is not prohibited pursuant to Article 5 shall inform in a timely, clear and intelligible manner of the operation of the system the natural persons exposed thereto and obtain their consent prior to the processing of their biometric and other personal data in accordance with Regulation (EU) 2016/679, Regulation (EU) 2016/1725 and Directive (EU) 2016/280, as applicable. This obligation shall not apply to AI systems used for biometric categorisation, which are permitted by law to detect, prevent and investigate criminal offences2. Users of a biometric categorisation system shall inform of the operation of the system the natural persons exposed thereto. This obligation shall not apply to AI systems used for biometric categorisation, which are permitted by law to detect, prevent and investigate criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties.2. Users of an emotion recognition system or a biometric categorisation system shall inform in a timely, clear and intelligible manner of the operation of the system the natural persons exposed thereto and obtain their consent prior to the processing of their biometric and other personal data in accordance with Regulation (EU) 2016/679, Regulation (EU) 2016/1725 and Directive (EU) 2016/280, as applicable. This obligation shall not apply to AI systems used for biometric categorisation, which are permitted by law to detect, prevent and investigate criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties.
Article 52 – paragraph 2a (new)2a. Users of an emotion recognition system shall inform of the operation of the system the natural persons exposed thereto. This obligation shall not apply to AI systems used for emotion recognition which are permitted by law to detect, prevent and investigate criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties.Users of an emotion recognition system shall be obligated to inform the natural persons exposed to the operation of the system. However, this obligation shall not apply to AI systems used for emotion recognition which are legally permitted to detect, prevent, and investigate criminal offences, provided that appropriate safeguards are in place for the rights and freedoms of third parties.
Article 52 – paragraph 3 – subparagraph 13. Users of an AI system that generates or manipulates image, audio or video content that appreciably resembles existing persons, objects, places or other entities or events and would falsely appear to a person to be authentic or truthful (‘deep fake’), shall disclose that the content has been artificially generated or manipulated.3. Users of an AI system that generates or manipulates text, audio or visual content that would falsely appear to be authentic or truthful and which features depictions of people appearing to say or do things they did not say or do, without their consent (‘deep fake’), shall disclose in an appropriate, timely, clear and visible manner that the content has been artificially generated or manipulated, as well as, whenever possible, the name of the natural or legal person that generated or manipulated it. Disclosure shall mean labelling the content in a way that informs that the content is inauthentic and that is clearly visible for the recipient of that content. To label the content, users shall take into account the generally acknowledged state of the art and relevant harmonised standards and specifications.3. Users of an AI system that generates or manipulates image, audio or video content that appreciably resembles existing persons, objects, places or other entities or events and would falsely appear to a person to be authentic or truthful (‘deep fake’), shall disclose that the content has been artificially generated or manipulated.3. Users of an AI system that generates or manipulates image, audio, video or text content that appreciably resembles existing persons, objects, places or other entities or events and would falsely appear to a person to be authentic or truthful, or features depictions of people appearing to say or do things they did not say or do, without their consent (‘deep fake’), shall disclose in an appropriate, timely, clear and visible manner that the content has been artificially generated or manipulated. Whenever possible, the name of the natural or legal person that generated or manipulated it should also be disclosed. Disclosure shall mean labelling the content in a way that informs that the content is inauthentic and that is clearly visible for the recipient of that content. To label the content, users shall take into account the generally acknowledged state of the art and relevant harmonised standards and specifications.
Article 52 – paragraph 3 – subparagraph 2However, the first subparagraph shall not apply where the use is authorised by law to detect, prevent, investigate and prosecute criminal offences or it is necessary for the exercise of the right to freedom of expression and the right to freedom of the arts and sciences guaranteed in the Charter of Fundamental Rights of the EU, and subject to appropriate safeguards for the rights and freedoms of third parties.3a. Paragraph 3 shall not apply where the use of an AI system that generates or manipulates text, audio or visual content is authorized by law or if it is necessary for the exercise of the right to freedom of expression and the right to freedom of the arts and sciences guaranteed in the Charter of Fundamental Rights of the EU, and subject to appropriate safeguards for the rights and freedoms of third parties. Where the content forms part of an evidently creative, satirical, artistic or fictional cinematographic, video games visuals and analogous work or programme, transparency obligations set out in paragraph 3 are limited to disclosing of the existence of such generated or manipulated content in an appropriate clear and visible manner that does not hamper the display of the work and disclosing the applicable copyrights, where relevant. It shall also not prevent law enforcement authorities from using AI systems intended to detect deep fakes and prevent, investigate and prosecute criminal offences linked with their useHowever, the first subparagraph shall not apply where the use is authorised by law to detect, prevent, investigate and prosecute criminal offences or where the content is part of an evidently creative, satirical, artistic or fictional work or programme subject to appropriate safeguards for the rights and freedoms of third parties.The first subparagraph shall not apply where the use of an AI system that generates or manipulates text, audio or visual content is authorised by law to detect, prevent, investigate and prosecute criminal offences, or if it is necessary for the exercise of the right to freedom of expression and the right to freedom of the arts and sciences guaranteed in the Charter of Fundamental Rights of the EU. This also includes where the content forms part of an evidently creative, satirical, artistic or fictional cinematographic, video games visuals and analogous work or programme. Transparency obligations are limited to disclosing of the existence of such generated or manipulated content in an appropriate clear and visible manner that does not hamper the display of the work and disclosing the applicable copyrights, where relevant. It shall also not prevent law enforcement authorities from using AI systems intended to detect deep fakes and prevent, investigate and prosecute criminal offences linked with their use. All these exceptions are subject to appropriate safeguards for the rights and freedoms of third parties.
Article 52 – paragraph 3b [P] / paragraph 3a [C] (new)3b. The information referred to in paragraphs 1 to 3 shall be provided to the natural persons at the latest at the time of the first interaction or exposure. It shall be accessible to vulnerable persons, such as persons with disabilities or children, complete, where relevant and appropriate, with intervention or flagging procedures for the exposed natural person taking into account the generally acknowledged state of the art and relevant harmonised standards and common specifications.3a. The information referred to in paragraphs 1 to 3 shall be provided to natural persons in a clear and distinguishable manner at the latest at the time of the first interaction or exposure.The information referred to in paragraphs 1 to 3 shall be provided to natural persons, including vulnerable persons such as those with disabilities or children, in a clear, distinguishable, and accessible manner at the latest at the time of the first interaction or exposure. This information should be complete, where relevant and appropriate, with intervention or flagging procedures for the exposed natural person, taking into account the generally acknowledged state of the art and relevant harmonised standards and common specifications.
Article 52 – paragraph 44. Paragraphs 1, 2 and 3 shall not affect the requirements and obligations set out in Title III of this Regulation.4. Paragraphs 1, 2 and 3 shall not affect the requirements and obligations set out in Title III of this Regulation.4. Paragraphs 1, 2, 2a and 3 and 3a shall not affect the requirements and obligations set out in Title III of this Regulation and shall be without prejudice to other transparency obligations for users of AI systems laid down in Union or national law.4. Paragraphs 1, 2, 2a, 3 and 3a shall not affect the requirements and obligations set out in Title III of this Regulation and shall be without prejudice to other transparency obligations for users of AI systems laid down in Union or national law.

TITLE V: Measures in Support of Innovation

Article 53
NumberingCommissionParliamentCouncilText proposed by the AI
Article 53 Article 53
AI regulatory sandboxes		Article 53
AI regulatory sandboxes		Article 53
AI regulatory sandboxes		Article 53
AI regulatory sandboxes
None
Article 53 – paragraph -1 (new)–1a. National competent authorities may establish AI regulatory sandboxes for the development, training, testing and validation of innovative AI systems under the direct supervision, guidance and support by the national competent authority, before those systems are placed on the market or put into service. Such regulatory sandboxes may include testing in real world conditions supervised by the national competent authorities.National competent authorities may establish AI regulatory sandboxes for the development, training, testing and validation of innovative AI systems. These sandboxes will operate under the direct supervision, guidance and support of the national competent authority, before the AI systems are placed on the market or put into service. The regulatory sandboxes may also include testing in real world conditions, which will be supervised by the national competent authorities.
Article 53 – paragraph -1a (new)–1c. Where appropriate, national competent authorities shall cooperate with other relevant authorities and may allow for the involvement of other actors within the AI ecosystem.National competent authorities, where appropriate, shall cooperate with other relevant authorities and may consider the involvement of other actors within the AI ecosystem.
Article 53 – paragraph -1b (new)–1d. This Article shall not affect other regulatory sandboxes established under national or Union law, including in cases where the products or services that are tested in them are linked to the use of innovative AI systems. Member States shall ensure an appropriate level of cooperation between the authorities supervising those other sandboxes and the national competent authorities.This Article shall not impact other regulatory sandboxes established under national or Union law, including instances where the products or services tested are associated with the use of innovative AI systems. Member States shall ensure an appropriate level of cooperation between the authorities supervising these other sandboxes and the national competent authorities.
Article 53 – paragraph 11.  AI regulatory sandboxes established by one or more Member States competent authorities or the European Data Protection Supervisor shall provide a controlled environment that facilitates the development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan. This shall take place under the direct supervision and guidance by the competent authorities with a view to ensuring compliance with the requirements of this Regulation and, where relevant, other Union and Member States legislation supervised within the sandbox.1.  Member States shall establish at least one AI regulatory sandbox at national level, which shall be operational at the latest on the day of the entry into application of this Regulation This sandbox can also be established jointly with one or several other Member States;deletedMember States, or the European Data Protection Supervisor, shall establish at least one AI regulatory sandbox. This sandbox, which can also be established jointly with one or several other Member States, shall provide a controlled environment that facilitates the development, testing, and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan. This shall take place under the direct supervision and guidance by the competent authorities with a view to ensuring compliance with the requirements of this Regulation and, where relevant, other Union and Member States legislation supervised within the sandbox. The sandbox shall be operational at the latest on the day of the entry into application of this Regulation.
Article 53 – paragraph 1b (new) [C]1b. The establishment of AI regulatory sandboxes under this Regulation shall aim to contribute to one or more of the following objectives:

a) foster innovation and competitiveness and facilitate the development of an AI ecosystem;

b) facilitate and accelerate access to the Union market for AI systems, in particular when provided by small and medium enterprises (SMEs), including start-ups;

c) improve legal certainty and contribute to the sharing of best practices through cooperation with the authorities involved in the AI regulatory sandbox with a view to ensuring future compliance with this Regulation and, where appropriate, with other Union and Member States legislation;

d) contribute to evidence-based regulatory learning.		The establishment of AI regulatory sandboxes under this Regulation shall aim to achieve the following objectives:

a) Encourage innovation and competitiveness, and aid in the creation of an AI ecosystem;

b) Provide and expedite access to the Union market for AI systems, especially those offered by small and medium enterprises (SMEs), including start-ups;

c) Enhance legal certainty and promote the exchange of best practices through collaboration with the authorities involved in the AI regulatory sandbox. This is to ensure future compliance with this Regulation and, if necessary, with other Union and Member States legislation;

d) Aid in evidence-based regulatory learning.
Article 53 – paragraph 1a (new) 1a. Additional AI regulatory sandboxes at regional or local levels or jointly with other Member States may also be established;Additional AI regulatory sandboxes may be established at regional or local levels, or jointly with other Member States.
Article 53 – paragraph 1 b (new) [P]1b. The Commission and the European Data Protection Supervisor, on their own, jointly or in collaboration with one or more Member States may also establish AI regulatory sandboxes at Union level;The Commission, in collaboration with the European Data Protection Supervisor and one or more Member States, may establish AI regulatory sandboxes at Union level.
Article 53 – paragraph 1c (new)1c. Establishing authorities shall allocate sufficient resources to comply with this Article effectively and in a timely manner;The establishing authorities shall ensure the allocation of sufficient resources to effectively and promptly comply with this Article.
Article 53 – paragraph 1d (new)1d. AI regulatory sandboxes shall, in accordance with criteria set out in Article 53a, provide for a controlled environment that fosters innovation and facilitates the development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan agreed between the prospective providers and the establishing authority;AI regulatory sandboxes shall, in line with the criteria outlined in Article 53a, create a controlled environment that encourages innovation and aids in the development, testing, and validation of innovative AI systems for a limited period before they are introduced to the market or put into service. This will be done according to a specific plan agreed upon by the prospective providers and the establishing authority.
Article 53 – paragraph 1e (new)1e. The establishment of AI regulatory sandboxes shall aim to contribute to the following objectives:
a) for the competent authorities to provide guidance to AI systems prospective providers providers to achieve regulatory compliance with this Regulation or where relevant other applicable Union and Member States legislation;
b) for the prospective providers to allow and facilitate the testing and development of innovative solutions related to AI systems;
c) regulatory learning in a controlled environment.		The establishment of AI regulatory sandboxes shall aim to contribute to the following objectives:

a) For the competent authorities to provide guidance to prospective providers of AI systems to achieve regulatory compliance with this Regulation or, where relevant, other applicable Union and Member States legislation;

b) For the prospective providers to allow and facilitate the testing and development of innovative solutions related to AI systems;

c) To promote regulatory learning in a controlled environment.
Article 53 – paragraph 1f (new)1f. Establishing authorities shall provide guidance and supervision within the sandbox with a view to identify risks, in particular to fundamental rights, democracy and rule of law, health and safety and the environment, test and demonstrate mitigation measures for identified risks, and their effectiveness and ensure compliance with the requirements of this Regulation and, where relevant, other Union and Member States legislation;Establishing authorities shall provide guidance and supervision within the sandbox with a view to identify risks, particularly those related to fundamental rights, democracy, rule of law, health and safety, and the environment. They will also test and demonstrate mitigation measures for identified risks, evaluate their effectiveness, and ensure compliance with the requirements of this Regulation and, where relevant, other Union and Member States legislation.
Article 53 – paragraph 1g (new)1g. Establishing authorities shall provide sandbox prospective providers who develop high-risk AI systems with guidance and supervision on how to fulfil the requirements set out in this Regulation, so that the AI systems may exit the sandbox being in presumption of conformity with the specific requirements of this Regulation that were assessed within the sandbox. Insofar as the AI system complies with the requirements when exiting the sandbox, it shall be presumed to be in conformity with this regulation. In this regard, the exit reports created by the establishing authority shall be taken into account by market surveillance authorities or notified bodies, as applicable, in the context of conformity assessment procedures or market surveillance checks;Establishing authorities are required to provide sandbox prospective providers, who are developing high-risk AI systems, with guidance and supervision on how to meet the requirements outlined in this Regulation. This is to ensure that the AI systems can exit the sandbox in a state of presumed conformity with the specific requirements of this Regulation that were assessed within the sandbox. If the AI system meets the requirements upon exiting the sandbox, it will be presumed to be in conformity with this regulation. The exit reports generated by the establishing authority should be considered by market surveillance authorities or notified bodies, as applicable, during conformity assessment procedures or market surveillance checks.
Article 53 – paragraph 22.  Member States shall ensure that to the extent the innovative AI systems involve the processing of personal data or otherwise fall under the supervisory remit of other national authorities or competent authorities providing or supporting access to data, the national data protection authorities and those other national authorities are associated to the operation of the AI regulatory sandbox.2.  Establishing authorities shall ensure that, to the extent the innovative AI systems involve the processing of personal data or otherwise fall under the supervisory remit of other national authorities or competent authorities providing or supporting access to personal data, the national data protection authorities, or in cases referred to in paragraph 1b the EDPS, and those other national authorities are associated to the operation of the AI regulatory sandbox and involved in the supervision of those aspects to the full extent of their respective tasks and powers;deleted2. Authorities shall ensure that, to the extent the innovative AI systems involve the processing of personal data or otherwise fall under the supervisory remit of other national authorities or competent authorities providing or supporting access to data, the national data protection authorities and those other national authorities are associated to the operation of the AI regulatory sandbox and involved in the supervision of those aspects to the full extent of their respective tasks and powers.
Article 53 – paragraph 2a (new)2a. Access to the AI regulatory sandboxes shall be open to any provider or prospective provider of an AI system who fulfils the eligibility and selection criteria referred to in paragraph 6(a) and who has been selected by the national competent authorities following the selection procedure referred to in paragraph 6(b). Providers or prospective providers may also submit applications in partnership with users or any other relevant third parties.

Participation in the AI regulatory sandbox shall be limited to a period that is appropriate to the complexity and scale of the project. This period may be extended by the national competent authority.

Participation in the AI regulatory sandbox shall be based on a specific plan referred to in paragraph 6 of this Article that shall be agreed between the participant(s) and the national competent authoritie(s), as applicable.		Access to the AI regulatory sandboxes shall be open to any provider or prospective provider of an AI system who fulfils the eligibility and selection criteria. Providers or prospective providers may also submit applications in partnership with users or any other relevant third parties. The selection of participants will be carried out by the national competent authorities following a specific procedure.

The duration of participation in the AI regulatory sandbox shall be limited to a period that is appropriate to the complexity and scale of the project, with the possibility of extension by the national competent authority if necessary.

The participation in the AI regulatory sandbox shall be based on a specific plan that shall be agreed between the participant(s) and the national competent authorities. This plan will be in accordance with the provisions referred to in this Article.
Article 53 – paragraph 33.  The AI regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities. Any significant risks to health and safety and fundamental rights identified during the development and testing of such systems shall result in immediate mitigation and, failing that, in the suspension of the development and testing process until such mitigation takes place.3.  The AI regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities, including at regional or local level. Any significant risks to fundamental rights, democracy and rule of law, health and safety or the environment identified during the development and testing of such AI systems shall result in immediate and adequate mitigation. Competent authorities shall have the power to temporarily or permanently suspend the testing process, or participation in the sandbox if no effective mitigation is possible and inform the AI office of such decision;3. The participation in the AI regulatory sandboxes shall not affect the supervisory and corrective powers of the authorities supervising the sandbox. Those authorities shall exercice their supervisory powers in a flexible manner within the limits of the relevant legislation, using their discretionary powers when implementing legal provisions to a specific AI sandbox project, with the objective of supporting innovation in AI in the Union.

Provided that the participant(s) respect the sandbox plan and the terms and conditions for their participation as referred to in paragraph 6(c) and follow in good faith the guidance given by the authorities, no administrative fines shall be imposed by the authorities for infringement of applicable Union or Member State legislation relating to the AI system supervised in the sandbox, including the provisions of this Regulation.		3. The participation in the AI regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities, including at regional or local level. Those authorities shall exercise their supervisory powers in a flexible manner within the limits of the relevant legislation, using their discretionary powers when implementing legal provisions to a specific AI sandbox project, with the objective of supporting innovation in AI in the Union. Any significant risks to fundamental rights, democracy and rule of law, health and safety or the environment identified during the development and testing of such AI systems shall result in immediate and adequate mitigation. Provided that the participant(s) respect the sandbox plan and the terms and conditions for their participation as referred to in paragraph 6(c) and follow in good faith the guidance given by the authorities, no administrative fines shall be imposed by the authorities for infringement of applicable Union or Member State legislation relating to the AI system supervised in the sandbox, including the provisions of this Regulation. However, competent authorities shall have the power to temporarily or permanently suspend the testing process, or participation in the sandbox if no effective mitigation is possible and inform the AI office of such decision.
Article 53 – paragraph 44.  Participants in the AI regulatory sandbox shall remain liable under applicable Union and Member States liability legislation for any harm inflicted on third parties as a result from the experimentation taking place in the sandbox.4.  Prospective providers in the AI regulatory sandbox shall remain liable under applicable Union and Member States liability legislation for any harm inflicted on third parties as a result of the experimentation taking place in the sandbox. However, provided that the prospective provider(s) respect the specific plan referred to in paragraph 1c and the terms and conditions for their participation and follow in good faith the guidance given by the establishing authorities, no administrative fines shall be imposed by the authorities for infringements of this Regulation;4. The participants remain liable under applicable Union and Member States liability legislation for any damage caused in the course of their participation in an AI regulatory sandbox.4. Participants, including prospective providers, in the AI regulatory sandbox shall remain liable under applicable Union and Member States liability legislation for any harm or damage inflicted on third parties as a result of the experimentation taking place in the sandbox. However, provided that the participants respect the specific plan referred to in paragraph 1c and the terms and conditions for their participation and follow in good faith the guidance given by the establishing authorities, no administrative fines shall be imposed by the authorities for infringements of this Regulation.
Article 53 – paragraph 4a (new)4a. Upon request of the provider or prospective provider of the AI system, the national competent authority shall provide, where applicable, a written proof of the activities successfully carried out in the sandbox. The national competent authority shall also provide an exit report detailing the activities carried out in the sandbox and the related results and learning outcomes. Such written proof and exit report could be taken into account by market surveillance authorities or notified bodies, as applicable, in the context of conformity assessment procedures or market surveillance checks.

Subject to the confidentiality provisions in Article 70 and with the agreement of the sandbox participants, the European Commission and the AI Board shall be authorised to access the exit reports and shall take them into account, as appropriate, when exercising their tasks under this Regulation. If both the participant and the national competent authority explicitly agree to this, the exit report can be made publicly available through the single information platform referred to in article 55(3)(b).		Upon request of the AI system provider or prospective provider, the national competent authority shall provide a written proof of the activities successfully completed in the sandbox, as well as an exit report detailing the activities, results, and learning outcomes. These documents may be considered by market surveillance authorities or notified bodies in the context of conformity assessment procedures or market surveillance checks.

In accordance with Article 70’s confidentiality provisions and with the agreement of the sandbox participants, the European Commission and the AI Board are authorized to access the exit reports for the purpose of their tasks under this Regulation. If both the participant and the national competent authority explicitly agree, the exit report can be made publicly available through the single information platform referred to in article 55(3)(b).
Article 53 – paragraph 4b (new)4b. The AI regulatory sandboxes shall be designed and implemented in such a way that, where relevant, they facilitate cross-border cooperation between the national competent authorities.The AI regulatory sandboxes shall be designed and implemented in such a way that, where relevant, they facilitate cross-border cooperation between the national competent authorities.
Article 53 – paragraph 55.  Member States’ competent authorities that have established AI regulatory sandboxes shall coordinate their activities and cooperate within the framework of the European Artificial Intelligence Board. They shall submit annual reports to the Board and the Commission on the results from the implementation of those scheme, including good practices, lessons learnt and recommendations on their setup and, where relevant, on the application of this Regulation and other Union legislation supervised within the sandbox.5.  Establishing authorities shall coordinate their activities and cooperate within the framework of the AI office;5. National competent authorities shall make publicly available annual reports on the implementation of the AI regulatory sandboxes, including good practices, lessons learnt and recommendations on their setup and, where relevant, on the application of this Regulation and other Union legislation supervised within the sandbox. Those annual reports shall be submitted to the AI Board which shall make publicly available a summary of all good practices, lessons learnt and recommendations. This obligation to make annual reports publicly available shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities. The Commission and the AI Board shall, where appropriate, take the annual reports into account when exercising their tasks under this Regulation.5. The competent authorities of Member States that have established AI regulatory sandboxes shall coordinate their activities and cooperate within the framework of the European Artificial Intelligence Board, also referred to as the AI office. They shall make publicly available annual reports on the results from the implementation of those schemes, including good practices, lessons learnt and recommendations on their setup and, where relevant, on the application of this Regulation and other Union legislation supervised within the sandbox. These annual reports shall be submitted to the AI Board, which shall make publicly available a summary of all good practices, lessons learnt and recommendations. This obligation to make annual reports publicly available shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities. The Commission and the AI Board shall, where appropriate, take the annual reports into account when exercising their tasks under this Regulation.
Article 53 – paragraph 5a (new)5a. Establishing authorities shall inform the AI Office of the establishment of a sandbox and may ask for support and guidance. A list of planned and existing sandboxes shall be made publicly available by the AI office and kept up to date in order to encourage more interaction in the regulatory sandboxes and transnational cooperation;Establishing authorities are required to notify the AI Office upon the creation of a sandbox and may request assistance and guidance. The AI Office will maintain and publicly share a list of proposed and existing sandboxes to promote increased participation in regulatory sandboxes and foster transnational cooperation.
Article 53 – paragraph 5b (new) [P]5b. Establishing authorities shall submit to the AI office and, unless the Commission is the sole establishing authority, to the Commission, annual reports, starting one year after the establishment of the sandbox and then every year until its termination and a final report. Those reports shall provide information on the progress and results of the implementation of those sandboxes, including best practices, incidents, lessons learnt and recommendations on their setup and, where relevant, on the application and possible revision of this Regulation and other Union law supervised within the sandbox. Those annual reports or abstracts thereof shall be made available to the public, online;Establishing authorities are required to submit annual reports to the AI office and, if the Commission is not the sole establishing authority, to the Commission as well. These reports should be submitted starting one year after the establishment of the sandbox and continue annually until its termination, at which point a final report should be submitted. These reports should provide information on the progress and results of the implementation of the sandboxes, including best practices, incidents, lessons learned, and recommendations on their setup. Additionally, where relevant, the reports should include information on the application and potential revision of this Regulation and other Union law supervised within the sandbox. These annual reports, or abstracts of them, should be made available to the public online.
Article 53 – paragraph 5b (new) [C]5b. The Commission shall ensure that information about AI regulatory sandboxes, including about those established under this Article, is available through the single information platform referred to in Article 55(3)(b)The Commission shall ensure the availability of information regarding AI regulatory sandboxes, inclusive of those established under this Article, through the single information platform as mentioned in Article 55(3)(b).
Article 53 – paragraph 66. The modalities and the conditions of the operation of the AI regulatory sandboxes, including the eligibility criteria and the procedure for the application, selection, participation and exiting from the sandbox, and the rights and obligations of the participants shall be set out in implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).6. The Commission shall develop a single and dedicated interface containing all relevant information related to sandboxes, together with a single contact point at Union level to interact with the regulatory sandboxes and to allow stakeholders to raise enquiries with competent authorities, and to seek non-binding guidance on the conformity of innovative products, services, business models embedding AI technologies;

The Commission shall proactively coordinate with national, regional and also local authorities, where relevant;		(6) The modalities and the conditions for the establishment and operation of the AI regulatory sandboxes under this Regulation shall be adopted through implementing acts in accordance with the examination procedure referred to in Article 74(2).

The modalities and conditions shall to the best extent possible support flexibility for national competent authorities to establish and operate their AI regulatory sandboxes, foster innovation and regulatory learning and shall particularly take into account the special circumstances and capacities of participating SMEs, including start-ups.

Those implementing acts shall include common main principles on the following issues:
a) eligibility and selection for participation in the AI regulatory sandbox;
b) procedure for the application, participation, monitoring, exiting from and
termination of the AI regulatory sandbox, including the sandbox plan and the exit report;
c) the terms and conditions applicable to the participants.		6. The modalities and conditions for the establishment, operation, and application of the AI regulatory sandboxes, including the eligibility criteria, selection, participation, monitoring, exiting, and termination, along with the rights and obligations of the participants, shall be set out in implementing acts. These acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

The Commission shall develop a single and dedicated interface containing all relevant information related to sandboxes, together with a single contact point at Union level to interact with the regulatory sandboxes and to allow stakeholders to raise enquiries with competent authorities, and to seek non-binding guidance on the conformity of innovative products, services, business models embedding AI technologies.

The Commission shall proactively coordinate with national, regional, and also local authorities, where relevant. The modalities and conditions shall, to the best extent possible, support flexibility for national competent authorities to establish and operate their AI regulatory sandboxes, foster innovation and regulatory learning, and shall particularly take into account the special circumstances and capacities of participating SMEs, including start-ups.

The implementing acts shall include common main principles on the following issues: a) eligibility and selection for participation in the AI regulatory sandbox; b) procedure for the application, participation, monitoring, exiting from and termination of the AI regulatory sandbox, including the sandbox plan and the exit report; c) the terms and conditions applicable to the participants.
Article 53 – paragraph 6a (new) [P]6a. For the purpose of paragraph 1 and 1a, the Commission shall play a complementary role, enabling Member States to build on their expertise and, on the other hand, assisting and providing technical understanding and resources to those Member States that seek guidance on the set-up and running of these regulatory sandboxes;For the purpose of paragraph 1 and 1a, the Commission shall play a supportive role, enabling Member States to leverage their expertise while also providing technical understanding and resources to those Member States seeking guidance on the establishment and operation of these regulatory sandboxes.
Article 53 – paragraph 7 (new) [P]7. When national competent authorities consider authorising testing in real world conditions supervised within the framework of an AI regulatory sandbox established under this Article, they shall specifically agree with the participants on the terms and conditions of such testing and in particular on the appropriate safeguards with the view to protect fundamental rights, health and safety. Where appropriate, they shall cooperate with other national competent authorities with a view to ensure consistent practices across the UnionNone
Article 53a (new)Article 53 a
Modalities and functioning of AI regulatory sandboxes

1. In order to avoid fragmentation across the Union, the Commission, in consultation with the AI office, shall adopt a delegated act detailing the modalities for the establishment, development, implementation, functioning and supervision of the AI regulatory sandboxes, including the eligibility criteria and the procedure for the application, selection, participation and exiting from the sandbox, and the rights and obligations of the participants based on the provisions set out in this Article;

2. The Commission is empowered to adopt delegated acts in accordance with the procedure referred to in Article 73, no later than 12 months following the entry into force of this Regulation and shall ensure that:
a) regulatory sandboxes are open to any applying prospective provider of an AI system who fulfils eligibility and selection criteria. The criteria for accessing to the regulatory sandbox are transparent and fair and establishing authorities inform applicants of their decision within 3 months of the application;
b) regulatory sandboxes allow broad and equal access and keep up with demand for participation;
c) access to the AI regulatory sandboxes is free of charge for SMEs and start-ups without prejudice to exceptional costs that establishing authorities may recover in a fair and proportionate manner;
d) regulatory sandboxes facilitate the involvement of other relevant actors within the AI ecosystem, such as notified bodies and standardisation organisations (SMEs, start-ups, enterprises, innovators, testing and experimentation facilities, research and experimentation labs and digital innovation hubs, centers of excellence, individual researchers), in order to allow and facilitate cooperation with the public and private sector;
e) they allow prospective providers to to fulfil, in a controlled environment, the conformity assessment obligations of this Regulation or the voluntary application of the codes of conduct referred to in Article 69;
f) procedures, processes and administrative requirements for application, selection, participation and exiting the sandbox are simple, easily intelligible, clearly communicated in order to facilitate the participation of SMEs and start-ups with limited legal and administrative capacities and are streamlined across the Union, in order to avoid fragmentation and that participation in a regulatory sandbox established by a Member State, by the Commission, or by the EDPS is mutually and uniformly recognised and carries the same legal effects across the Union;
g) participation in the AI regulatory sandbox is limited to a period that is appropriate to the complexity and scale of the project.
h) the sandboxes shall facilitate the development of tools and infrastructure for testing, benchmarking, assessing and explaining dimensions of AI systems relevant to sandboxes, such as accuracy, robustness and cybersecurity as well as minimisation of risks to fundamental rights, environment and the society at large

3. Prospective providers in the sandboxes, in particular SMEs and start-ups, shall be facilitated access to pre-deployment services such as guidance on the implementation of this Regulation, to other value-adding services such as help with standardisation documents and certification and consultation, and to other Digital Single Market initiatives such as Testing & Experimentation Facilities, Digital Hubs, Centres of Excellence, and EU benchmarking capabilities;

Article 53 a
Modalities and functioning of AI regulatory sandboxes

1. The Commission, in consultation with the AI office, shall adopt a delegated act detailing the modalities for the establishment, development, implementation, functioning and supervision of the AI regulatory sandboxes. This includes the eligibility criteria and the procedure for the application, selection, participation and exiting from the sandbox, and the rights and obligations of the participants based on the provisions set out in this Article. This is to avoid fragmentation across the Union.

2. The Commission is empowered to adopt delegated acts in accordance with the procedure referred to in Article 73, no later than 12 months following the entry into force of this Regulation. The Commission shall ensure that:
a) regulatory sandboxes are open to any applying prospective provider of an AI system who fulfils eligibility and selection criteria. The criteria for accessing the regulatory sandbox are transparent and fair. Establishing authorities inform applicants of their decision within 3 months of the application;
b) regulatory sandboxes allow broad and equal access and keep up with demand for participation;
c) access to the AI regulatory sandboxes is free of charge for SMEs and start-ups, without prejudice to exceptional costs that establishing authorities may recover in a fair and proportionate manner;
d) regulatory sandboxes facilitate the involvement of other relevant actors within the AI ecosystem, such as notified bodies and standardisation organisations, in order to allow and facilitate cooperation with the public and private sector;
e) they allow prospective providers to fulfil, in a controlled environment, the conformity assessment obligations of this Regulation or the voluntary application of the codes of conduct referred to in Article 69;
f) procedures, processes and administrative requirements for application, selection, participation and exiting the sandbox are simple, easily intelligible, clearly communicated and are streamlined across the Union, in order to facilitate the participation of SMEs and start-ups with limited legal and administrative capacities and to avoid fragmentation. Participation in a regulatory sandbox established by a Member State, by the Commission, or by the EDPS is mutually and uniformly recognised and carries the same legal effects across the Union;
g) participation in the AI regulatory sandbox is limited to a period that is appropriate to the complexity and scale of the project.
h) the sandboxes shall facilitate the development of tools and infrastructure for testing, benchmarking, assessing and explaining dimensions of AI systems relevant to sandboxes, such as accuracy, robustness and cybersecurity as well as minimisation of risks to fundamental rights, environment and the society at large

3. Prospective providers in the sandboxes, in particular SMEs and start-ups, shall be facilitated access to pre-deployment services such as guidance on the implementation of this Regulation, to other value-adding services such as help with standardisation documents and certification and consultation, and to other Digital Single Market initiatives such as Testing & Experimentation Facilities, Digital Hubs, Centres of Excellence, and EU benchmarking capabilities.
Article 54
NumberingCommissionParliamentCouncilText proposed by the AI
Article 54 Article 54
Further processing of personal data for developing certain AI systems in the public interest in the AI regulatory sandbox		Article 54
Further processing of data for developing certain AI systems in the public interest in the AI regulatory sandbox		Article 54
Further processing of personal data for developing certain AI systems in the public interest in the AI regulatory sandbox		Article 54
Further processing of personal data for developing certain AI systems in the public interest in the AI regulatory sandbox
Article 54 – paragraph 1 – introductory part1. In the AI regulatory sandbox personal data lawfully collected for other purposes shall be processed for the purposes of developing and testing certain innovative AI systems in the sandbox under the following conditions:1. In the AI regulatory sandbox personal data lawfully collected for other purposes may be processed solely for the purposes of developing and testing certain AI systems in the sandbox when all of the following conditions are met:1. In the AI regulatory sandbox personal data lawfully collected for other purposes may be processed for the purposes of developing, testing and training of innovative AI systems in the sandbox under the following cumulative conditions:1. In the AI regulatory sandbox, personal data lawfully collected for other purposes may be processed for the purposes of developing, testing, and training certain innovative AI systems in the sandbox, under the following cumulative conditions:
Article 54 – paragraph 1 – point a (a) the innovative AI systems shall be developed for safeguarding substantial public interest in one or more of the following areas:

(i) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, under the control and responsibility of the competent authorities. The processing shall be based on Member State or Union law;

(ii) public safety and public health, including disease prevention, control and treatment;

(iii) a high level of protection and improvement of the quality of the environment;		(a) AI systems shall be developed for safeguarding substantial public interest in one or more of the following areas:

(i) deleted

(ii) public safety and public health, including disease detection, diagnosis prevention, control and treatment;

(iii) a high level of protection and improvement of the quality of the environment, protection of biodiversity, pollution as well as climate change mitigation and adaptation;

(iii a) safety and resilience of transport systems, critical infrastructure and networks.
(a) the innovative AI systems shall be developed for safeguarding substantial public interest by a public authority or another natural or legal person governed by public law or by private law and in one or more of the following areas:

(i) [deleted]

(ii) public safety and health, including prevention, control and treatment of disease and improvement of health care systems;

(iii) protection and improvement of the quality of the environment, including green transition, climate change mitigation and adaptation;

(iv) energy sustainability, transport and mobility;

(v) efficiency and quality of public administration and public services;

(vi) cybersecurity and resilience of critical infrastructure.		(a) AI systems shall be innovatively developed for safeguarding substantial public interest by a public authority or another natural or legal person governed by public law or by private law in one or more of the following areas:

(i) [deleted]
(ii) public safety and health, including disease detection, diagnosis, prevention, control, treatment, and improvement of health care systems;

(iii) a high level of protection and improvement of the quality of the environment, including green transition, protection of biodiversity, pollution, climate change mitigation and adaptation;

(iv) safety, resilience, and sustainability of transport systems, critical infrastructure, networks, and energy;

(v) efficiency and quality of public administration and public services;

(vi) cybersecurity and resilience of critical infrastructure.
Article 54 – paragraph 1 – point b(b) the data processed are necessary for complying with one or more of the requirements referred to in Title III, Chapter 2 where those requirements cannot be effectively fulfilled by processing anonymised, synthetic or other non-personal data;(b) the data processed are necessary for complying with one or more of the requirements referred to in Title III, Chapter 2 where those requirements cannot be effectively fulfilled by processing anonymised, synthetic or other non-personal data;(b) the data processed are necessary for complying with one or more of the requirements referred to in Title III, Chapter 2 where those requirements cannot be effectively fulfilled by processing anonymised, synthetic or other non-personal data;(b) the data processed are necessary for complying with one or more of the requirements referred to in Title III, Chapter 2 where those requirements cannot be effectively fulfilled by processing anonymised, synthetic or other non-personal data;
Article 54 – paragraph 1 – point c(c) there are effective monitoring mechanisms to identify if any high risks to the fundamental rights of the data subjects may arise during the sandbox experimentation as well as response mechanism to promptly mitigate those risks and, where necessary, stop the processing;(c) there are effective monitoring mechanisms to identify if any high risks to the rights and freedoms of the data subjects, as referred to in Article 35 of Regulation (EU) 2016/679 and in Article 35 of Regulation (EU) 2018/1725 may arise during the sandbox experimentation as well as response mechanism to promptly mitigate those risks and, where necessary, stop the processing(c) there are effective monitoring mechanisms to identify if any high risks to the rights and freedoms of the data subjects, as referred to in Article 35 of Regulation (EU) 2016/679 and in Article 39 of Regulation (EU) 2018/1725, may arise during the sandbox experimentation as well as response mechanism to promptly mitigate those risks and, where necessary, stop the processing;(c) there are effective monitoring mechanisms to identify if any high risks to the fundamental rights and freedoms of the data subjects, as referred to in Article 35 of Regulation (EU) 2016/679 and in Article 35 and 39 of Regulation (EU) 2018/1725, may arise during the sandbox experimentation as well as response mechanism to promptly mitigate those risks and, where necessary, stop the processing;
Article 54 – paragraph 1 – point d(d) any personal data to be processed in the context of the sandbox are in a functionally separate, isolated and protected data processing environment under the control of the participants and only authorised persons have access to that data;(d) any personal data to be processed in the context of the sandbox are in a functionally separate, isolated and protected data processing environment under the control of the prospective provider and only authorised persons have access to that those data;(d) any personal data to be processed in the context of the sandbox are in a functionally separate, isolated and protected data processing environment under the control of the participants and only authorised persons have access to that data;(d) any personal data to be processed in the context of the sandbox are in a functionally separate, isolated and protected data processing environment under the control of the participants and the prospective provider, and only authorised persons have access to that data;
Article 54 – paragraph 1 – point e(e) any personal data processed are not be transmitted, transferred or otherwise accessed by other parties;(e) any personal data processed are not be transmitted, transferred or otherwise accessed by other parties;(e) any personal data processed are not to be transmitted, transferred or otherwise accessed by other parties that are not participants in the sandbox, unless such disclosure occurs in compliance with Regulation (EU) 2016/679 or, where applicable, Regulation 2018/725, and all participants have agreed to it;(e) any personal data processed are not to be transmitted, transferred or otherwise accessed by other parties, unless such disclosure occurs in compliance with Regulation (EU) 2016/679 or, where applicable, Regulation 2018/725, and all participants have agreed to it;
Article 54 – paragraph 1 – point f(f) any processing of personal data in the context of the sandbox do not lead to measures or decisions affecting the data subjects;(f) any processing of personal data in the context of the sandbox do not lead to measures or decisions affecting the data subjects nor affect the application of their rights laid down in Union law on the protection of personal data;(f) any processing of personal data in the context of the sandbox shall not affect the application of the rights of the data subjects as provided for under Union law on the protection of personal data, in particular in Article 22 of Regulation (EU) 2016/679 and Article 24 of Regulation (EU) 2018/1725(f) any processing of personal data in the context of the sandbox shall not lead to measures or decisions affecting the data subjects, nor affect the application of their rights as laid down in Union law on the protection of personal data, in particular in Article 22 of Regulation (EU) 2016/679 and Article 24 of Regulation (EU) 2018/1725.
Article 54 – paragraph 1 – point g(g) any personal data processed in the context of the sandbox are deleted once the participation in the sandbox has terminated or the personal data has reached the end of its retention period;(g) any personal data processed in the context of the sandbox are protected by means of appropriate technical and organisational measures and deleted once the participation in the sandbox has terminated or the personal data has reached the end of its retention period;(g) any personal data processed in the context of the sandbox are protected by means of appropriate technical and organisational measures and deleted once the participation in the sandbox has terminated or the personal data has reached the end of its retention period;(g) any personal data processed in the context of the sandbox are protected by means of appropriate technical and organisational measures and deleted once the participation in the sandbox has terminated or the personal data has reached the end of its retention period;
Article 54 – paragraph 1 – point h(h) the logs of the processing of personal data in the context of the sandbox are kept for the duration of the participation in the sandbox and 1 year after its termination, solely for the purpose of and only as long as necessary for fulfilling accountability and documentation obligations under this Article or other application Union or Member States legislation;(h) the logs of the processing of personal data in the context of the sandbox are kept for the duration of the participation in the sandbox;(h) the logs of the processing of personal data in the context of the sandbox are kept for the duration of the participation in the sandbox, unless provided otherwise by Union or national law;(h) the logs of the processing of personal data in the context of the sandbox are kept for the duration of the participation in the sandbox and 1 year after its termination, unless provided otherwise by Union or national law, solely for the purpose of and only as long as necessary for fulfilling accountability and documentation obligations under this Article or other applicable Union or Member States legislation.
Article 54 – paragraph 1 – point i(i) complete and detailed description of the process and rationale behind the training, testing and validation of the AI system is kept together with the testing results as part of the technical documentation in Annex IV;(i) complete and detailed description of the process and rationale behind the training, testing and validation of the AI system is kept together with the testing results as part of the technical documentation in Annex IV;(i) complete and detailed description of the process and rationale behind the training, testing and validation of the AI system is kept together with the testing results as part of the technical documentation in Annex IV;(i) complete and detailed description of the process and rationale behind the training, testing and validation of the AI system is kept together with the testing results as part of the technical documentation in Annex IV;
Article 54 – paragraph 1 – point j(j) a short summary of the AI project developed in the sandbox, its objectives and expected results published on the website of the competent authorities.(j) a short summary of the AI system developed in the sandbox, its objectives, hypotheses, and expected results, published on the website of the competent authorities;(j) a short summary of the AI project developed in the sandbox, its objectives and expected results published on the website of the competent authorities. This obligation shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities.(j) a short summary of the AI system/project developed in the sandbox, its objectives, hypotheses, and expected results, published on the website of the competent authorities. This obligation shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities.
Article 54 – paragraph 1a (new)1a. For the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, under the control and responsibility of law enforcement authorities, the processing of personal data in AI regulatory sandboxes shall be based on a specific Member State or Union law and subject to the same cumulative conditions as referred to in paragraph 1.None
Article 54 – paragraph 22. Paragraph 1 is without prejudice to Union or Member States legislation excluding processing for other purposes than those explicitly mentioned in that legislation.2. Paragraph 1 is without prejudice to Union or Member States legislation excluding processing for other purposes than those explicitly mentioned in that legislation.2. Paragraph 1 is without prejudice to Union or Member States laws laying down the basis for the processing of personal data which is necessary for the purpose of developing, testing and training of innovative AI systems or any other legal basis, in compliance with Union law on the protection of personal data.2. Paragraph 1 is without prejudice to Union or Member States legislation or laws excluding processing for other purposes than those explicitly mentioned in that legislation, and laying down the basis for the processing of personal data which is necessary for the purpose of developing, testing and training of innovative AI systems or any other legal basis, in compliance with Union law on the protection of personal data.
Article 54a (new) [P]Article 54 a
Promotion of AI research and development in support of socially and environmentally beneficial outcomes

1. Member States shall promote research and development of AI solutions which support socially and environmentally beneficial outcomes, including but not limited to development of AI-based solutions to increase accessibility for persons with disabilities, tackle socio-economic inequalities, and meet sustainability and environmental targets, by:

(a) providing relevant projects with priority access to the AI regulatory sandboxes to the extent that they fulfil the eligibility conditions;

(b) earmarking public funding, including from relevant EU funds, for AI research and development in support of socially and environmentally beneficial outcomes;

(c) organising specific awareness raising activities about the application of this Regulation, the availability of and application procedures for dedicated funding, tailored to the needs of those projects;

(d) where appropriate, establishing accessible dedicated channels, including within the sandboxes, for communication with projects to provide guidance and respond to queries about the implementation of this Regulation.

Member States shall support civil society and social stakeholders to lead or participate in such projects;

Article 54 a
Promotion of AI research and development for socially and environmentally beneficial outcomes

1. Member States shall encourage the research and development of AI solutions that support socially and environmentally beneficial outcomes. These include but are not limited to the development of AI-based solutions to enhance accessibility for persons with disabilities, address socio-economic inequalities, and achieve sustainability and environmental targets. This can be accomplished by:

(a) granting priority access to AI regulatory sandboxes for relevant projects that meet the eligibility conditions;

(b) designating public funding, including from appropriate EU funds, for AI research and development that supports socially and environmentally beneficial outcomes;

(c) conducting specific awareness-raising activities about the application of this Regulation, the availability of and application procedures for dedicated funding, tailored to the needs of these projects;

(d) where suitable, creating accessible dedicated channels, including within the sandboxes, for communication with projects to provide guidance and answer queries about the implementation of this Regulation.

Member States shall also support civil society and social stakeholders in leading or participating in such projects.
Article 54a (new) [C]Article 54a
Testing of high-risk AI systems in real world conditions outside AI regulatory sandboxes

1. Testing of AI systems in real world conditions outside AI regulatory sandboxes may be conducted by providers or prospective providers of high-risk AI systems listed in Annex III, in accordance with the provisions of this Article and the real-world testing plan referred to in this Article.
The detailed elements of the real-world testing plan shall be specified in implementing acts adopted by the Commission in accordance with the examination procedure referred to in Article 74(2).
This provision shall be without prejudice to Union or Member State legislation for the testing in real world conditions of high-risk AI systems related to products covered by legislation listed in Annex II.

2. Providers or prospective providers may conduct testing of high-risk AI systems referred to in Annex III in real world conditions at any time before the placing on the market or putting into service of the AI system on their own or in partnership with one or more prospective users.

3. The testing of high-risk AI systems in real world conditions under this Article shall be without prejudice to ethical review that may be required by national or Union law.

4. Providers or prospective providers may conduct the testing in real world conditions only where all of the following conditions are met:
(a) the provider or prospective provider has drawn up a real-world testing plan and submitted it to the market surveillance authority in the Member State(s) where thetesting in real world conditions is to be conducted;
(b) the market surveillance authority in the Member State(s) where the testing in real
world conditions is to be conducted have not objected to the testing within 30 days after its submission;
(c) the provider or prospective provider with the exception of high-risk AI systems
referred to in Annex III, points 1, 6 and 7 in the areas of law enforcement, migration, asylum and border control management, and high risk AI systems referred to in Annex III point 2, has registered the testing in real world conditions in the EU database
referred to in Article 60(5a) with a Union-wide unique single identification number
and the information specified in Annex VIIIa;
(d) the provider or prospective provider conducting the testing in real world conditions is established in the Union or it has appointed a legal representative for the purpose of the testing in real world conditions who is established in the Union;
(e) data collected and processed for the purpose of the testing in real world conditions shall not be transferred to countries outside the Union, unless the transfer and the processing provides equivalent safeguards to those provided under Union law;
(f) the testing in real world conditions does not last longer than necessary to achieve its objectives and in any case not longer than 12 months;
(g) persons belonging to vulnerable groups due to their age, physical or mental disability are appropriately protected;
(h) [deleted] (i) where a provider or prospective provider organises the testing in real world conditions in cooperation with one or more prospective users, the latter have been informed of all aspects of the testing that are relevant to their decision to participate, and given the relevant instructions on how to use the AI system referred to in Article 13; the
provider or prospective provider and the user(s) shall conclude an agreement
specifying their roles and responsibilities with a view to ensuring compliance with the provisions for testing in real world conditions under this Regulation and other
applicable Union and Member States legislation;
(j) the subjects of the testing in real world conditions have given informed consent in accordance with Article 54b, or in the case of law enforcement, where the seeking of informed consent would prevent the AI system from being tested, the testing itself and the outcome of the testing in the real world conditions shall not have a negative effect on the subject;
(k) the testing in real world conditions is effectively overseen by the provider or
prospective provider and user(s) with persons who are suitably qualified in the
relevant field and have the necessary capacity, training and authority to perform their tasks;
(l) the predictions, recommendations or decisions of the AI system can be effectively reversed or disregarded.

5. Any subject of the testing in real world conditions, or his or her legally designated representative, as appropriate, may, without any resulting detriment and without having to provide any justification, withdraw from the testing at any time by revoking his or her informed consent. The withdrawal of the informed consent shall not affect the activities already carried out and the use of data obtained based on the informed consent before its withdrawal.

6. Any serious incident identified in the course of the testing in real world conditions shall be reported to the national market surveillance authority in accordance with Article 62 of this Regulation. The provider or prospective provider shall adopt immediate mitigation
measures or, failing that, suspend the testing in real world conditions until such mitigation takes place or otherwise terminate it. The provider or prospective provider shall establish a procedure for the prompt recall of the AI system upon such termination of the testing in real world conditions.

7. Providers or prospective providers shall notify the national market surveillance authority in the Member State(s) where the testing in real world conditions is to be conducted of the suspension or termination of the testing in real world conditions and the final outcomes.

8. The provider and prospective provider shall be liable under applicable Union and Member States liability legislation for any damage caused in the course of their participation in the testing in real world conditions.

Article 54a
Testing of high-risk AI systems in real world conditions outside AI regulatory sandboxes

1. Providers or prospective providers of high-risk AI systems listed in Annex III may conduct testing of AI systems in real world conditions outside AI regulatory sandboxes, in accordance with the provisions of this Article and the real-world testing plan referred to in this Article. The detailed elements of the real-world testing plan shall be specified in implementing acts adopted by the Commission in accordance with the examination procedure referred to in Article 74(2). This provision shall be without prejudice to Union or Member State legislation for the testing in real world conditions of high-risk AI systems related to products covered by legislation listed in Annex II.

2. Providers or prospective providers may conduct testing of high-risk AI systems referred to in Annex III in real world conditions at any time before the placing on the market or putting into service of the AI system on their own or in partnership with one or more prospective users.

3. The testing of high-risk AI systems in real world conditions under this Article shall be without prejudice to ethical review that may be required by national or Union law.

4. Providers or prospective providers may conduct the testing in real world conditions only where all of the following conditions are met:
(a) the provider or prospective provider has drawn up a real-world testing plan and submitted it to the market surveillance authority in the Member State(s) where the testing in real world conditions is to be conducted;
(b) the market surveillance authority in the Member State(s) where the testing in real world conditions is to be conducted have not objected to the testing within 30 days after its submission;
(c) the provider or prospective provider has registered the testing in real world conditions in the EU database referred to in Article 60(5a) with a Union-wide unique single identification number and the information specified in Annex VIIIa;
(d) the provider or prospective provider conducting the testing in real world conditions is established in the Union or it has appointed a legal representative for the purpose of the testing in real world conditions who is established in the Union;
(e) data collected and processed for the purpose of the testing in real world conditions shall not be transferred to countries outside the Union, unless the transfer and the processing provides equivalent safeguards to those provided under Union law;
(f) the testing in real world conditions does not last longer than necessary to achieve its objectives and in any case not longer than 12 months;
(g) persons belonging to vulnerable groups due to their age, physical or mental disability are appropriately protected;
(h) where a provider or prospective provider organises the testing in real world conditions in cooperation with one or more prospective users, the latter have been informed of all aspects of the testing that are relevant to their decision to participate, and given the relevant instructions on how to use the AI system referred to in Article 13; the provider or prospective provider and the user(s) shall conclude an agreement specifying their roles and responsibilities with a view to ensuring compliance with the provisions for testing in real world conditions under this Regulation and other applicable Union and Member States legislation;
(i) the subjects of the testing in real world conditions have given informed consent in accordance with Article 54b, or in the case of law enforcement, where the seeking of informed consent would prevent the AI system from being tested, the testing itself and the outcome of the testing in the real world conditions shall not have a negative effect on the subject;
(j) the testing in real world conditions is effectively overseen by the provider or prospective provider and user(s) with persons who are suitably qualified in the relevant field and have the necessary capacity, training and authority to perform their tasks;
(k) the predictions, recommendations or decisions of the AI system can be effectively reversed or disregarded.

5. Any subject of the testing in real world conditions, or his or her legally designated representative, as appropriate, may, without any resulting detriment and without having to provide any justification, withdraw from the testing at any time by revoking his or her informed consent. The withdrawal of the informed consent shall not affect the activities already carried out and the use of data obtained based on the informed consent before its withdrawal.

6. Any serious incident identified in the course of the testing in real world conditions shall be reported to the national market surveillance authority in accordance with Article 62 of this Regulation. The provider or prospective provider shall adopt immediate mitigation measures or, failing that, suspend the testing in real world conditions until such mitigation takes place or otherwise terminate it. The provider or prospective provider shall establish a procedure for the prompt recall of the AI system upon such termination of the testing in real world conditions.

7. Providers or prospective providers shall notify the national market surveillance authority in the Member State(s) where the testing in real world conditions is to be conducted of the suspension or termination of the testing in real world conditions and the final outcomes.

8. The provider and prospective provider shall be liable under applicable Union and Member States liability legislation for any damage caused in the course of their participation in the testing in real world conditions.
Article 54 b (new)Article 54b
Informed consent to participate in testing in real world conditions outside AI regulatory sandboxes

1. For the purpose of testing in real world conditions under Article 54a, informed consent shall be freely given by the subject of testing prior to his or her participation in such testing and after having been duly informed with concise, clear, relevant, and understandable information regarding:
(i) the nature and objectives of the testing in real world conditions and the possible inconvenience that may be linked to his or her participation;
(ii) the conditions under which the testing in real world conditions is to be conducted, including the expected duration of the subject’s participation;
(iii) the subject’s rights and guarantees regarding participation, in particular his or her right to refuse to participate in and the right to withdraw from testing in real world conditions at any time without any resulting detriment and without having to provide any justification;
(iv) the modalities for requesting the reversal or the disregard of the predictions,
recommendations or decisions of the AI system;
(v) the Union-wide unique single identification number of the testing in real world
conditions in accordance with Article 54a(4c) and the contact details of the provider or its legal representative from whom further information can be obtained.

2. The informed consent shall be dated and documented and a copy shall be given to the subject or his or her legal representative.
Article 54b
Informed consent to participate in testing in real world conditions outside AI regulatory sandboxes

1. For the purpose of testing in real world conditions under Article 54a, informed consent shall be freely given by the subject of testing prior to his or her participation in such testing and after having been duly informed with concise, clear, relevant, and understandable information regarding:
(i) the nature and objectives of the testing in real world conditions and the possible inconvenience that may be linked to his or her participation;
(ii) the conditions under which the testing in real world conditions is to be conducted, including the expected duration of the subject’s participation;
(iii) the subject’s rights and guarantees regarding participation, in particular his or her right to refuse to participate in and the right to withdraw from testing in real world conditions at any time without any resulting detriment and without having to provide any justification;
(iv) the modalities for requesting the reversal or the disregard of the predictions,
recommendations or decisions of the AI system;
(v) the Union-wide unique single identification number of the testing in real world
conditions in accordance with Article 54a(4c) and the contact details of the provider or its legal representative from whom further information can be obtained.

2. The informed consent shall be dated and documented and a copy shall be given to the subject or his or her legal representative.
Article 55
NumberingCommissionParliamentCouncilText proposed by the AI
Article 55 Article 55
Measures for small-scale providers and users		Article 55
Measures for SMEs, start-ups and users		Article 55
Support measures for operators, in particular SMEs, including start-ups		Article 55
Support measures for small-scale providers, operators, SMEs, start-ups, and users
Article 55 – paragraph 1 –introductory part1. Member States shall undertake the following actions:1. Member States shall undertake the following actions:1. Member States shall undertake the following actions:None
Article 55 – paragraph 1 – point a(a) provide small-scale providers and start-ups with priority access to the AI regulatory sandboxes to the extent that they fulfil the eligibility conditions;(a) provide SMEs and start-ups, established in the Union, with priority access to the AI regulatory sandboxes, to the extent that they fulfil the eligibility conditions;(a) provide SMEs, including start-ups, with priority access to the AI regulatory sandboxes to the extent that they fulfil the eligibility and selection criteria;(a) provide SMEs, including small-scale providers and start-ups established in the Union, with priority access to the AI regulatory sandboxes, to the extent that they fulfil the eligibility and selection criteria;
Article 55 – paragraph 1 – point b(b) organise specific awareness raising activities about the application of this Regulation tailored to the needs of the small-scale providers and users;(b) organise specific awareness raising and enhanced digital skills development activities on the application of this Regulation tailored to the needs of SMEs, start-ups and users;(b) organise specific awareness raising and training activities about the application of this Regulation tailored to the needs of the SMEs, including start-ups, and, as appropriate, local public authorities;(b) organise specific awareness raising, training, and enhanced digital skills development activities about the application of this Regulation tailored to the needs of the small-scale providers, SMEs, including start-ups, and users, and, as appropriate, local public authorities;
Article 55 – paragraph 1 – point c(c) where appropriate, establish a dedicated channel for communication with small-scale providers and user and other innovators to provide guidance and respond to queries about the implementation of this Regulation.(c) utilise existing dedicated channels and where appropriate, establish new dedicated channels for communication with SMEs, start-ups, users and other innovators to provide guidance and respond to queries about the implementation of this Regulation;(c) where appropriate, establish a dedicated channel for communication with SMEs, including start-ups and, as appropriate, local public authorities to provide advice and respond to queries about the implementation of this Regulation, including as regards participation in AI regulatory sandboxes.(c) utilise existing dedicated channels and where appropriate, establish new dedicated channels for communication with small-scale providers, SMEs, including start-ups, users, other innovators, and, as appropriate, local public authorities to provide guidance, advice and respond to queries about the implementation of this Regulation, including as regards participation in AI regulatory sandboxes.
Article 55 – paragraph 1 – point ca (new)(ca) foster the participation of SMEs and other relevant stakeholders in the standardisation development process.Promote the involvement of SMEs and other pertinent stakeholders in the process of standardisation development.
Article 55 – paragraph 22. The specific interests and needs of the small-scale providers shall be taken into account when setting the fees for conformity assessment under Article 43, reducing those fees proportionately to their size and market size.2. The specific interests and needs of the SMEs, start-ups and users shall be taken into account when setting the fees for conformity assessment under Article 43, reducing those fees proportionately to development stage, their size, market size and market demand. The Commission shall regularly assess the certification and compliance costs for SMEs and start-ups, including through transparent consultations with SMEs, start-ups and users and shall work with Member States to lower such costs where possible. The Commission shall report on these findings to the European Parliament and to the Council as part of the report on the evaluation and review of this Regulation provided for in Article 84(2).2. The specific interests and needs of the SME providers, including start-ups, shall be taken into account when setting the fees for conformity assessment under Article 43, reducing those fees proportionately to their size, market size and other relevant indicators.2. The specific interests and needs of the small-scale providers, SMEs, start-ups, and users shall be taken into account when setting the fees for conformity assessment under Article 43, reducing those fees proportionately to their development stage, size, market size, and other relevant indicators. The Commission shall regularly assess the certification and compliance costs for SMEs, start-ups, including through transparent consultations with SMEs, start-ups, and users and shall work with Member States to lower such costs where possible. The Commission shall report on these findings to the European Parliament and to the Council as part of the report on the evaluation and review of this Regulation provided for in Article 84(2).
Article 55 – paragraph 3 (new)3. The Commission shall undertake the following actions:

(a) upon request of the AI Board, provide standardised templates for the areas covered by this Regulation;

(b) develop and maintain a single information platform providing easy to use
information in relation to this Regulation for all operators across the Union;

(c) organise appropriate communication campaigns to raise awareness about the obligations arising from this Regulation;

(d) evaluate and promote the convergence of best practices in public procurement procedures in relation to AI systems		The Commission is mandated to carry out the following actions:

(a) Upon the request of the AI Board, the Commission will provide standardised templates for the areas covered by this Regulation;

(b) The Commission will develop and maintain a single information platform that provides user-friendly information related to this Regulation for all operators across the Union;

(c) The Commission will organise suitable communication campaigns to increase awareness about the obligations that arise from this Regulation;

(d) The Commission will evaluate and promote the convergence of best practices in public procurement procedures in relation to AI systems.
Article 55a (new)Article 55a
Derogations for specific operators

1. The obligations laid down in Article 17 of this Regulation shall not apply to microenterprises as defined in Article 2(3) of the Annex to the Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the same Annex.

2. Paragraph 1 shall not be interpreted as exempting those operators from fulfilling any other requirements and obligations laid down in this Regulation, including those established in Articles 9, 61 and 62.

3. Requirements and obligations for general purpose AI systems laid down in Article 4b shall not apply to micro, small and medium-sized enterprises, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the the Annex to the Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises		Article 55a
Derogations for specific operators

1. The obligations laid down in Article 17 of this Regulation shall not apply to microenterprises as defined in Article 2(3) of the Annex to the Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the same Annex.

2. Paragraph 1 shall not be interpreted as exempting those operators from fulfilling any other requirements and obligations laid down in this Regulation, including those established in Articles 9, 61 and 62.

3. Requirements and obligations for general purpose AI systems laid down in Article 4b shall not apply to micro, small and medium-sized enterprises, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the the Annex to the Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises.

TITLE VI: Governance

Chapter 1: European Artificial Intelligence Board

Article 56
NumberingCommissionParliamentCouncilText proposed by the AI
Article 56 Article 56
Establishment of the European Artificial Intelligence Board		Article 56
Establishment of the European Artificial Intelligence Office		Article 56
Establishment and structure of the European Artificial Intelligence Board		Article 56
Establishment and Structure of the European Artificial Intelligence Office/Board
Article 56 – paragraph 11. A ‘European Artificial Intelligence Board’ (the ‘Board’) is established.1. The ‘European Artificial Intelligence Office’ (the ‘AI Office’) is hereby established. The AI Office shall be an independent body of the Union. It shall have legal personality.1. A ‘European Artificial Intelligence Board’ (the ‘Board’) is established.A ‘European Artificial Intelligence Entity’ (the ‘Entity’) is hereby established. This Entity, encompassing both a ‘Board’ and an ‘AI Office’, shall be an independent body of the Union with legal personality.
Article 56 – paragraph 2 2. The Board shall provide advice and assistance to the Commission in order to:
(a)contribute to the effective cooperation of the national supervisory authorities and the Commission with regard to matters covered by this Regulation;
(b)coordinate and contribute to guidance and analysis by the Commission and the national supervisory authorities and other competent authorities on emerging issues across the internal market with regard to matters covered by this Regulation;
(c)assist the national supervisory authorities and the Commission in ensuring the consistent application of this Regulation.		2. The AI Office shall have a secretariat, and shall be adequately funded and staffed for the purpose of performing its tasks pursuant to this Regulation.deleted2. The Board, acting as the AI Office, shall provide advice, assistance, and contribute to guidance and analysis to the Commission and the national supervisory authorities. This is to ensure effective cooperation, coordination on emerging issues across the internal market, and consistent application of matters covered by this Regulation. The AI Office shall have a secretariat, and shall be adequately funded and staffed for the purpose of performing its tasks pursuant to this Regulation.
Article 56 – paragraph 2 [C]2. The Board shall be composed of one representative per Member State. The European Data Protection Supervisor shall participate as an observer. The Commission shall also attend the Board’s meetings without taking part in the votes.

Other national and Union authorities, bodies or experts may be invited to the meetings by the Board on a case by case basis, where the issues discussed are of relevance for them.		The Board shall consist of one representative from each Member State. The European Data Protection Supervisor will participate in the Board’s meetings as an observer. The Commission will also be present at these meetings, but will not participate in voting. Other national and Union authorities, bodies, or experts may be invited to attend the meetings on a case-by-case basis, if the Board deems the issues discussed to be relevant to them.
Article 56 – paragraph 2a (new) [P]2a. The seat of the AI Office shall be in Brussels.The AI Office shall be located in Brussels.
Article 56 – paragraph 2a (new) [C]2a. Each representative shall be designated by their Member State for a period of 3 years, renewable once.Each representative shall be appointed by their respective Member State for a term of 3 years, which can be renewed once.
Article 56 – paragraph 2aa (new)2aa. Member States shall ensure that their representatives in the Board:
(i) have the relevant competences and powers in their Member State so as to contribute
actively to the achievement of the board’s tasks referred to in Article 58;
(ii) are designated as a single contact point vis-à-vis the Board and, where appropriate, taking into account Member States’ needs, as a single contact point for stakeholders;
(iii) are empowered to facilitate consistency and coordination between national
competent authorities in their Member State as regards the implementation of this Regulation, including through the collection of relevant data and information for the purpose of fulfilling their tasks on the Board.
Member States shall ensure that their representatives in the Board: (i) possess the necessary competences and powers within their Member State to actively contribute to the accomplishment of the board’s tasks as outlined in Article 58; (ii) are appointed as a single contact point in relation to the Board and, if necessary, considering the needs of Member States, as a single contact point for stakeholders; (iii) are authorized to promote consistency and coordination among national competent authorities within their Member State concerning the implementation of this Regulation, including the gathering of pertinent data and information to carry out their duties on the Board.
Article 56 – paragraph 3 (new)3. The designated representatives of the Member States shall adopt the Board’s rules of procedure by a two-thirds majority.

The rules of procedure shall, in particular, lay down procedures for the selection process, duration of mandate and specifications of the tasks of the Chair, the voting modalities, and the organisation of the Board’s activities and its sub-groups.

The Board shall establish a standing subgroup serving as a platform for stakeholders to advise the Board on all issues related to the implementation of this Regulation, including on the preparation of implementing and delegated acts. To this purpose, organisations representing the interests of the providers and users of AI systems, including SMEs and start-ups, as well as civil society organisations, representatives of affected persons, researchers, standardisation organisations, notified bodies, laboratories and testing and experimentation facilities shall be invited to participate to this sub-group. The Board shall establish two standing sub-groups to provide a platform for cooperation and exchange among market surveillance authorities and notifying authorities on issues related to market surveillance and notified bodies respectively.

The Board may establish other standing or temporary sub-groups as appropriate for the purpose of examining specific issues. Where appropriate, stakeholders referred to in the previous subparagraph may be invited to such sub-groups or to specific meetings of those subgroups in the capacity of observers.		The Board’s rules of procedure shall be adopted by the designated representatives of the Member States by a two-thirds majority. These rules will specifically outline the procedures for the selection process, duration of mandate, and task specifications of the Chair, the voting modalities, and the organisation of the Board’s activities and its sub-groups.

The Board will establish a standing subgroup to serve as a platform for stakeholders to advise on all issues related to the implementation of this Regulation, including the preparation of implementing and delegated acts. Organisations representing the interests of AI system providers and users, including SMEs and start-ups, civil society organisations, representatives of affected persons, researchers, standardisation organisations, notified bodies, laboratories, and testing and experimentation facilities will be invited to participate in this sub-group.

Additionally, the Board will establish two standing sub-groups to facilitate cooperation and exchange among market surveillance authorities and notifying authorities on issues related to market surveillance and notified bodies respectively.

The Board may also establish other standing or temporary sub-groups as needed to examine specific issues. Stakeholders may be invited to these sub-groups or to specific meetings of these subgroups in the capacity of observers, where appropriate.
Article 56 – paragraph 3a (new)3a. The Board shall be organised and operated so as to safeguard the objectivity and impartiality of its activities.The Board shall be organized and operated in a manner that ensures the objectivity and impartiality of its activities.
Article 56 – paragraph 4 (new)4. The Board shall be chaired by one of the representatives of the Member States. Upon request of the Chair, the Commission shall convene the meetings and prepare the agenda in accordance with the tasks of the Board pursuant to this Regulation and its rules of procedure. The Commission shall provide administrative and analytical support for the activities of the Board pursuant to this Regulation.The Board shall be chaired by a representative of the Member States. The Commission, upon request of the Chair, shall convene the meetings and prepare the agenda in line with the Board’s tasks as per this Regulation and its rules of procedure. Additionally, the Commission shall provide the necessary administrative and analytical support for the Board’s activities in accordance with this Regulation.
Article 56a (new)Article 56a
Structure

The administrative and management structure of the AI Office shall comprise:
(a) a management board, including a chair
(b) a secretariat managed by an executive director;
(c) an advisory forum.
The administrative and management structure of the AI Office shall consist of:
(a) a management board, inclusive of a chair
(b) a secretariat, overseen by an executive director;
(c) an advisory forum.
Article 56b (new)Article 56b
Tasks of the AI Office

The AI Office shall carry out the following tasks:

a) support, advise, and cooperate with Member States, national supervisory authorities, the Commission and other Union institutions, bodies, offices and agencies with regard to the implementation of this Regulation;

b) monitor and ensure the effective and consistent application of this Regulation, without prejudice to the tasks of national supervisory authorities;

c) contribute to the coordination among national supervisory authorities responsible for the application of this Regulation,

d) serve as a mediator in discussions about serious disagreements that may arise between competent authorities regarding the application of the Regulation

e) coordinate joint investigations, pursuant to Article 66a;

f) contribute to the effective cooperation with the competent authorities of third countries and with international organisations,

g) collect and share Member States’ expertise and best practices and to assist Member States national supervisory authorities and the Commission in developing the organizational and technical expertise required for the implementation of this Regulation, including by means of facilitating the creation and maintenance of a Union pool of experts

h) examine, on its own initiative or upon the request of its management board or the Commission, questions relating to the implementation of this Regulation and to issue opinions, recommendations or written contributions including with regard to:
(i) technical specifications or existing standards; (ii) the Commission’s guidelines
(iii) codes of conduct and the application thereof, in close cooperation with industry and other relevant stakeholders;
(iv) the possible revision of the Regulation, the preparation of the delegated acts, and possible alignments of this Regulation with the legal acts listed in Annex II;
(v) trends, such as European global competitiveness in artificial intelligence, the uptake of artificial intelligence in the Union, the development of digital skills, and emerging systemic threats relating to artificial intelligence
(vi) guidance on how this Regulation applies to the ever evolving typology of AI value chains, in particular on the resulting implications in terms of accountability of all the entities involved

i) issue:
(i) an annual report that includes an evaluation of the implementation of this Regulation, a review of serious incident reports as referred to in Article 62 and the functioning of the database referred to in Article 60 and
(ii) recommendations to the Commission on the categorisation of prohibited practices, high-risk AI systems referred to in Annex III, the codes of conduct referred to in Article 69, and the application of the general principles outlines in Article 4a

j) assist authorities in the establishment and development of regulatory sandboxes and to facilitate cooperation among regulatory sandboxes;

k) organise meetings with Union agencies and governance bodies whose tasks are related to artificial intelligence and the implementation of this Regulation;

l)organise quarterly consultations with the advisory forum, and, where appropriate, public consultations with other stakeholders, and to make the results of those consultations public on its website;

m) promote public awareness and understanding of the benefits, risks, safeguards and rights and obligations in relation to the use of AI systems;

n) facilitate the development of common criteria and a shared understanding among market operators and competent authorities of the relevant concepts provided for in this Regulation;

o) provide monitoring of foundation models and to organise a regular dialogue with the developers of foundation models with regard to their compliance as well as AI systems that make use of such AI models

p) provide interpretive guidance on how the AI Act applies to the ever evolving typology of AI value chains, and what the resulting implications in terms of accountability of all the entities involved will be under the different scenarios based on the generally acknowledged state of the art, including as reflected in relevant harmonized standards;

q) provide particular oversight and monitoring and institutionalize regular dialogue with the providers of foundation models about the compliance of foundation models as well as AI systems that make use of such AI models with Article 28b of this Regulation, and about industry best practices for self-governance. Any such meeting shall be open to national supervisory authorities, notified bodies and market surveillance authorities to attend and contribute

r) issue and periodically update guidelines on the thresholds that qualify training a foundation model as a large training run, record and monitor known instances of large training runs, and issue an annual report on the state of play in the development, proliferation, and use of foundation models alongside policy options to address risks and opportunities specific to foundation models.

s) promote AI literacy pursuant to Article 4b.

Article 56b
Tasks of the AI Office

The AI Office shall carry out the following tasks:

a) support, advise, and cooperate with Member States, national supervisory authorities, the Commission and other Union institutions, bodies, offices and agencies with regard to the implementation of this Regulation;

b) monitor and ensure the effective and consistent application of this Regulation, without prejudice to the tasks of national supervisory authorities;

c) contribute to the coordination among national supervisory authorities responsible for the application of this Regulation,

d) serve as a mediator in discussions about serious disagreements that may arise between competent authorities regarding the application of the Regulation

e) coordinate joint investigations, pursuant to Article 66a;

f) contribute to the effective cooperation with the competent authorities of third countries and with international organisations,

g) collect and share Member States’ expertise and best practices and to assist Member States national supervisory authorities and the Commission in developing the organizational and technical expertise required for the implementation of this Regulation, including by means of facilitating the creation and maintenance of a Union pool of experts

h) examine, on its own initiative or upon the request of its management board or the Commission, questions relating to the implementation of this Regulation and to issue opinions, recommendations or written contributions including with regard to:
(i) technical specifications or existing standards; (ii) the Commission’s guidelines
(iii) codes of conduct and the application thereof, in close cooperation with industry and other relevant stakeholders;
(iv) the possible revision of the Regulation, the preparation of the delegated acts, and possible alignments of this Regulation with the legal acts listed in Annex II;
(v) trends, such as European global competitiveness in artificial intelligence, the uptake of artificial intelligence in the Union, the development of digital skills, and emerging systemic threats relating to artificial intelligence
(vi) guidance on how this Regulation applies to the ever evolving typology of AI value chains, in particular on the resulting implications in terms of accountability of all the entities involved

i) issue:
(i) an annual report that includes an evaluation of the implementation of this Regulation, a review of serious incident reports as referred to in Article 62 and the functioning of the database referred to in Article 60 and
(ii) recommendations to the Commission on the categorisation of prohibited practices, high-risk AI systems referred to in Annex III, the codes of conduct referred to in Article 69, and the application of the general principles outlines in Article 4a

j) assist authorities in the establishment and development of regulatory sandboxes and to facilitate cooperation among regulatory sandboxes;

k) organise meetings with Union agencies and governance bodies whose tasks are related to artificial intelligence and the implementation of this Regulation;

l) organise quarterly consultations with the advisory forum, and, where appropriate, public consultations with other stakeholders, and to make the results of those consultations public on its website;

m) promote public awareness and understanding of the benefits, risks, safeguards and rights and obligations in relation to the use of AI systems;

n) facilitate the development of common criteria and a shared understanding among market operators and competent authorities of the relevant concepts provided for in this Regulation;

o) provide monitoring of foundation models and to organise a regular dialogue with the developers of foundation models with regard to their compliance as well as AI systems that make use of such AI models

p) provide interpretive guidance on how the AI Act applies to the ever evolving typology of AI value chains, and what the resulting implications in terms of accountability of all the entities involved will be under the different scenarios based on the generally acknowledged state of the art, including as reflected in relevant harmonized standards;

q) provide particular oversight and monitoring and institutionalize regular dialogue with the providers of foundation models about the compliance of foundation models as well as AI systems that make use of such AI models with Article 28b of this Regulation, and about industry best practices for self-governance. Any such meeting shall be open to national supervisory authorities, notified bodies and market surveillance authorities to attend and contribute

r) issue and periodically update guidelines on the thresholds that qualify training a foundation model as a large training run, record and monitor known instances of large training runs, and issue an annual report on the state of play in the development, proliferation, and use of foundation models alongside policy options to address risks and opportunities specific to foundation models.

s) promote AI literacy pursuant to Article 4b.
Article 57
NumberingCommissionParliamentCouncilText proposed by the AI
Section 2 (new)SECTION 2: Management BoardNone
Article – 57a (new)Article – 57a
Composition of the management board

1. The management board shall be composed of the following members:
(a) one representative of each Member State’s national supervisory authority;
(b) one representative from the Commission;
(c) one representative from the European Data Protection Supervisor (EDPS);
(d) one representative from the European Union Agency for Cybersecurity (ENISA);
(e) one representative from the Fundamental Rights Agency (FRA)

Each representative of a national supervisory authority shall have one vote. The representatives of the Commission, the EDPS, the ENISA and the FRA shall not have voting rights. Each member shall have a substitute. The appointment of members and substitute members of the management board shall take into account the need to gender balance. The members of the management board and their substitute members shall be made public.

2. The members and substitutes members of the management board shall not hold conflicting positions or commercial interests with regard to any topic related to the application of this Regulation.

3. The rules for the meetings and voting of the management board and the appointment and removal of the Executive Director shall be laid down in the rules of procedure referred to in Article – 57 b, point (a). 		Article – 57a
Composition of the management board

1. The management board shall be composed of the following members:
(a) one representative of each Member State’s national supervisory authority;
(b) one representative from the Commission;
(c) one representative from the European Data Protection Supervisor (EDPS);
(d) one representative from the European Union Agency for Cybersecurity (ENISA);
(e) one representative from the Fundamental Rights Agency (FRA)

Each representative of a national supervisory authority shall have one vote. The representatives of the Commission, the EDPS, the ENISA and the FRA shall not have voting rights. Each member shall have a substitute. The appointment of members and substitute members of the management board shall take into account the need to gender balance. The members of the management board and their substitute members shall be made public.

2. The members and substitutes members of the management board shall not hold conflicting positions or commercial interests with regard to any topic related to the application of this Regulation.

3. The rules for the meetings and voting of the management board and the appointment and removal of the Executive Director shall be laid down in the rules of procedure referred to in Article – 57 b, point (a).
Article – 57b (new)Article – 57 b
Functions of the management board

1. The management board shall have the following tasks:
(a) to make strategic decisions on the activities of the AI Office and to adopt its rules of procedure by a two-thirds majority of its members;
(b) to implement its rules of procedure;
(c) to adopt the AI Office’s single programming document as well as it annual public report and transmit both to the European Parliament, to the Council, to the Commission, and to the Court of Auditors;
(d) to adopt the AI Office’s budget;
(e) to appoint the executive director and, where relevant, to extend or curtail the executive director’s term of office or remove him or her from office;
(f) to decide on the establishment of the AI Office’s internal structures and, where necessary, the modification of those internal structures necessary for the fulfilment of the AI Office tasks;		Article – 57 b
Functions of the management board

1. The management board shall have the following tasks:
(a) to make strategic decisions on the activities of the AI Office and to adopt its rules of procedure by a two-thirds majority of its members;
(b) to implement its rules of procedure;
(c) to adopt the AI Office’s single programming document as well as it annual public report and transmit both to the European Parliament, to the Council, to the Commission, and to the Court of Auditors;
(d) to adopt the AI Office’s budget;
(e) to appoint the executive director and, where relevant, to extend or curtail the executive director’s term of office or remove him or her from office;
(f) to decide on the establishment of the AI Office’s internal structures and, where necessary, the modification of those internal structures necessary for the fulfilment of the AI Office tasks;
Article – 57c (new)Article – 57 c
Chair of the management board

1. The management board shall elect a Chair and two deputy Chairs from among its voting members, by simple majority.

2. The term of office of the Chair and of the deputy Chairs shall be four years. The terms of the Chair and of the deputy Chairs renewable once.		Article – 57 c
Chair of the management board

1. The management board shall elect a Chair and two deputy Chairs from among its voting members, by simple majority.

2. The term of office of the Chair and of the deputy Chairs shall be four years. The terms of the Chair and of the deputy Chairs are renewable once.
Section 3 (new)SECTION 3: SecretariatSECTION 3: Establishment of a Secretariat
Article 57Article 57
Structure of the Board		Article 57
Secretariat		Article 57 – deletedNone
Article 57 – paragraph 11. The Board shall be composed of the national supervisory authorities, who shall be represented by the head or equivalent high-level official of that authority, and the European Data Protection Supervisor. Other national authorities may be invited to the meetings, where the issues discussed are of relevance for them.1. The activities of the secretariat shall be managed by an executive director. The executive director shall be accountable to the management board. Without prejudice to the respective powers of the management board and the Union institutions, the executive director shall neither seek nor take instructions from any government or from any other bodydeleted1. The Board shall be composed of the national supervisory authorities, represented by the head or equivalent high-level official of that authority, and the European Data Protection Supervisor. Other national authorities may be invited to the meetings, where the issues discussed are of relevance for them. The activities of the Board shall be managed by an executive director, who shall be accountable to the Board. Without prejudice to the respective powers of the Board and the Union institutions, the executive director shall neither seek nor take instructions from any government or from any other body.
Article 57 – paragraph 22. The Board shall adopt its rules of procedure by a simple majority of its members, following the consent of the Commission. The rules of procedure shall also contain the operational aspects related to the execution of the Board’s tasks as listed in Article 58. The Board may establish sub-groups as appropriate for the purpose of examining specific questions.2. The executive director shall attend hearings on any matter linked to the AI Office’s activities and shall report on the performance of the executive director’s duties when invited to do so by the European Parliament or the Council.deleted2. The Board, including the executive director, shall adopt its rules of procedure by a simple majority of its members, following the consent of the Commission. These rules of procedure shall also contain the operational aspects related to the execution of the Board’s tasks as listed in Article 58. The Board may establish sub-groups as appropriate for the purpose of examining specific questions. The executive director shall attend hearings on any matter linked to the Board’s activities and shall report on the performance of the executive director’s duties when invited to do so by the European Parliament.
Article 57 – paragraph 33. The Board shall be chaired by the Commission. The Commission shall convene the meetings and prepare the agenda in accordance with the tasks of the Board pursuant to this Regulation and with its rules of procedure. The Commission shall provide administrative and analytical support for the activities of the Board pursuant to this Regulation3. The executive director shall represent the AI Office, including in international fora for cooperation with regard to artificial intelligence;deleted3. The Board shall be chaired by the Commission, with the executive director representing the AI Office, including in international fora for cooperation with regard to artificial intelligence. The Commission shall convene the meetings and prepare the agenda in accordance with the tasks of the Board pursuant to this Regulation and with its rules of procedure. The Commission shall provide administrative and analytical support for the activities of the Board pursuant to this Regulation.
Article 57 – paragraph 44. The Board may invite external experts and observers to attend its meetings and may hold exchanges with interested third parties to inform its activities to an appropriate extent. To that end the Commission may facilitate exchanges between the Board and other Union bodies, offices, agencies and advisory groups4. The secretariat shall provide the management board and the advisory forum with the analytical, administrative and logistical support necessary to fulfil the tasks of the AI Office, including by:
(a) Implementing the decisions, programmes and activities adopted by the management board;
(b) preparing each year the draft single programming document, the draft budget, the annual activity report on the AI Office, the draft opinions and the draft positions of the AI Office, and submit them to the management board
(c) Coordinating with international fora for cooperation on artificial intelligence;

deleted4. The Board may invite external experts and observers to attend its meetings and may hold exchanges with interested third parties to inform its activities to an appropriate extent. The secretariat shall provide the management board and the advisory forum with the analytical, administrative and logistical support necessary to fulfil the tasks of the AI Office. This includes implementing the decisions, programmes and activities adopted by the management board, preparing each year the draft single programming document, the draft budget, the annual activity report on the AI Office, the draft opinions and the draft positions of the AI Office, and submitting them to the management board. Additionally, the secretariat will coordinate with international fora for cooperation on artificial intelligence. To facilitate these activities, the Commission may facilitate exchanges between the Board and other Union bodies, offices, agencies and advisory groups.
Article 58
NumberingCommissionParliamentCouncilText proposed by the AI
Section 4 (new)SECTION 4: Advisory ForumNone
Article 58 Article 58
Tasks of the Board		Article 58
Advisory Forum		Article 58
Tasks of the Board		Article 58
Tasks and Advisory Forum of the Board
Article 58 – paragraph 1 – introductory partWhen providing advice and assistance to the Commission in the context of Article 56(2), the Board shall in particular:The advisory forum shall provide the AI Office with stakeholder input in matters relating to this Regulation, in particular with regard to the tasks set out in Article 56b point (l).The Board shall advice and assist the Commission and the Member States in order to facilitate the consistent and effective application of this Regulation. For this purpose the Board may in particular:The Advisory Board shall provide advice and assistance to the Commission, the AI Office, and the Member States, particularly in the context of Article 56(2) and Article 56b point (l), in order to facilitate the consistent and effective application of this Regulation. The Board shall also gather and incorporate stakeholder input in matters relating to this Regulation.
Article 58 – paragraph 1 – point a(a) collect and share expertise and best practices among Member States;(a) collect and share technical and regulatory expertise and best practices among Member States;(a) collect and share expertise, technical and regulatory knowledge, and best practices among Member States;
Article 58 – paragraph 1 – point b(b) contribute to uniform administrative practices in the Member States, including for the functioning of regulatory sandboxes referred to in Article 53;(b) contribute to the harmonisation of administrative practices in the Member States, including in relation to the derogation from the conformity assessment procedures referred to in Article 47, the functioning of regulatory sandboxes and testing in real world conditions referred to in Article 53, 54 and 54a;(b) contribute to the harmonisation and uniformity of administrative practices in the Member States, including for the functioning of regulatory sandboxes and testing in real world conditions, as well as in relation to the derogation from the conformity assessment procedures referred to in Article 47, 53, 54 and 54a;
Article 58 – paragraph 1 – point c(c) issue opinions, recommendations or written contributions on matters related to the implementation of this Regulation, in particular
(i) on technical specifications or existing standards regarding the requirements set out in Title III, Chapter 2,
(ii) on the use of harmonised standards or common specifications referred to in Articles 40 and 41,
(iii) on the preparation of guidance documents, including the guidelines concerning the setting of administrative fines referred to in Article 71.		(c) upon the request of the Commission or on its own initiative, issue recommendations and written opinions on any relevant matters related to the implementation of this Regulation and to its consistent and effective application, including:
(i) on technical specifications or existing standards regarding the requirements set out in Title III, Chapter 2,
(ii) on the use of harmonised standards or common specifications referred to in Articles 40 and 41,
(iii) on the preparation of guidance documents, including the guidelines concerning the setting of administrative fines referred to in Article 71;		(c) issue opinions, recommendations or written contributions on matters related to the implementation of this Regulation, either upon the request of the Commission or on its own initiative, particularly on:
(i) technical specifications or existing standards regarding the requirements set out in Title III, Chapter 2,
(ii) the use of harmonised standards or common specifications referred to in Articles 40 and 41,
(iii) the preparation of guidance documents, including the guidelines concerning the setting of administrative fines referred to in Article 71,
to ensure its consistent and effective application.
Article 58 – paragraph 1 – point d (new)(d) advise the Commission on the potential need for amendment of Annex III in accordance with Articles 4 and 7, taking into account relevant available evidence and the latest develoments in technology;(d) advise the Commission on the potential need for amendment of Annex III in accordance with Articles 4 and 7, taking into account relevant available evidence and the latest developments in technology;
Article 58 – paragraph 1 – point e (new)(e) advise the Commission during the preparation of delegated or implementing act pursuant to this Regulation;(e) advise the Commission during the preparation of delegated or implementing act pursuant to this Regulation;
Article 58 – paragraph 1 – point f (new)f) cooperate, as appropriate, with relevant EU bodies, experts groups and networks in particular in the fields of product safety, cybersecurity, competition, digital and media services, financial services, cryptocurrencies, consumer protection, data and fundamental rights protection;Cooperate, as appropriate, with relevant EU bodies, experts groups and networks particularly in the fields of product safety, cybersecurity, competition, digital and media services, financial services, cryptocurrencies, consumer protection, data and fundamental rights protection.
Article 58 – paragraph 1 – point g (new)g) contribute and provide relevant advice to the Commission in the development of the guidance referred to in Article 58a or request the development of such guidance;g) contribute and provide relevant advice to the Commission in the development of the guidance referred to in Article 58a or request the development of such guidance;
Article 58 – paragraph 1 – point h (new)(h) to assist the work of market surveillance authorities and, in cooperation and subject to agreement of the concerned market surveillance authorities, promote and support cross-border market surveillance investigations, including with respect to the emergence of risks of systemic nature that may stem from AI systems;None
Article 58 – paragraph 1 – point i (new)(i) contribute to the assessment of training needs for staff of Member States involved in implementing this Regulation;Contribute to the assessment of training needs for staff of Member States involved in implementing this Regulation.
Article 58 – paragraph 1 – point j (new)(j) advise the Commission in relation to international matters on artificial intelligence.Advise the Commission on international matters concerning artificial intelligence.
Article 58 – paragraph 2 (new)2. The membership of the advisory forum shall represent a balanced selection of stakeholders, including industry, start-ups, SMEs, civil society, the social partners and academia. The membership of the advisory forum shall be balanced with regard to commercial and non-commercial interests and, within the category of commercial interests, with regards to SMEs and other undertakingsThe advisory forum shall consist of a balanced selection of stakeholders, including industry, start-ups, SMEs, civil society, the social partners and academia. The composition of the advisory forum should ensure a balance between commercial and non-commercial interests. Within the commercial interests category, a balance should be maintained between SMEs and other undertakings.
Article 58 – paragraph 3 (new)3. The management board shall appoint the members of the advisory forum in accordance with the selection procedure established in the AI Office’s rules of procedure and taking into account the need for transparency and in accordance with the criteria set out in paragraph 2;The management board shall appoint the members of the advisory forum following the selection procedure established in the AI Office’s rules of procedure. This process should take into account the need for transparency and adhere to the criteria set out in paragraph 2.
Article 58 – paragraph 4 (new)4. The term of office of the members of the advisory forum shall be two years, which may be extended by up to no more than four years.The term of office for the members of the advisory forum shall be two years, with the possibility of extension for a maximum of four additional years.
Article 58 – paragraph 5 (new)5. The European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC), and the European Telecommunications Standards Institute (ETSI) shall be permanent members of the Advisory Forum. The Joint Research Centre shall be permanent member, without voting rights.The European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC), and the European Telecommunications Standards Institute (ETSI) shall be permanent members of the Advisory Forum. The Joint Research Centre shall also be a permanent member, but without voting rights.
Article 58 – paragraph 6 (new)6. The advisory forum shall draw up its rules of procedure. It shall elect two co-Chairs from among its members, in accordance with criteria set out in paragraph 2. The term of office of the co-Chairs shall be two years, renewable once.The advisory forum shall establish its own rules of procedure. It shall elect two co-Chairs from among its members, following the criteria outlined in paragraph 2. The co-Chairs will serve a term of two years, with the possibility of one renewal.
Article 58 – paragraph 7 (new)7. The advisory forum shall hold meetings at least four times a year. The advisory forum may invite experts and other stakeholders to its meetings. The executive director may attend, ex officio, the meetings of the advisory forum.The advisory forum is mandated to convene meetings at a minimum frequency of four times annually. The forum retains the discretion to extend invitations to experts and other stakeholders to participate in its meetings. The executive director has the ex officio right to be present at the meetings of the advisory forum.
Article 58 – paragraph 8 (new)8. In fulfilling its role as set out in paragraph 1, the advisory forum may prepare opinions, recommendations and written contributions.In carrying out its responsibilities as outlined in paragraph 1, the advisory forum is permitted to formulate opinions, recommendations, and written contributions.
Article 58 – paragraph 9 (new)9. The advisory forum may establish standing or temporary subgroups as appropriate for the purpose of examining specific questions related to the objectives of this Regulation.The advisory forum may establish standing or temporary subgroups as necessary, specifically for examining questions related to the objectives of this Regulation.
Article 58 – paragraph 10 (new)10. The advisory forum shall prepare an annual report of its activities. That report shall be made publicly available.The advisory forum shall be responsible for the preparation of an annual report detailing its activities. This report shall be made available to the public.
CHAPTER 1a (new) [C]CHAPTER 1A
GUIDELINES FROM THE COMMISSION		None
Article 58 a (new) [C]Article 58a
Guidelines from the Commission on the implementation of this Regulation

1. Upon the request of the Member States or the Board, or on its own initiative, the Commission
shall issue guidelines on the practical implementation of this Regulation, and in particular on
(i) the application of the requirements referred to in Articles 8 – 15;
(ii) the prohibited practices referred to in Article 5;
(iii) the practical implementation of the provisions related to substantial modification;
(iv) the practical implementation of uniform conditions referred to in Article 6, paragraph 3,
including examples in relation to high risk AI systems referred to in Annex III;
(v) the practical implementation of transparency obligations laid down in Article 52;
(vi) the relationship of this Regulation with other relevant Union legislation, including as
regards consistency in their enforcement.

When issuing such guidelines, the Commission shall pay particular attention to the needs of SMEs
including start-ups, local public authorities and sectors most likely to be affected by this Regulation
Article 58a
Guidelines from the Commission on the implementation of this Regulation

1. Upon the request of the Member States or the Board, or on its own initiative, the Commission
shall issue guidelines on the practical implementation of this Regulation, and in particular on
(i) the application of the requirements referred to in Articles 8 – 15;
(ii) the prohibited practices referred to in Article 5;
(iii) the practical implementation of the provisions related to substantial modification;
(iv) the practical implementation of uniform conditions referred to in Article 6, paragraph 3,
including examples in relation to high risk AI systems referred to in Annex III;
(v) the practical implementation of transparency obligations laid down in Article 52;
(vi) the relationship of this Regulation with other relevant Union legislation, including as
regards consistency in their enforcement.

When issuing such guidelines, the Commission shall pay particular attention to the needs of SMEs
including start-ups, local public authorities and sectors most likely to be affected by this Regulation.
Section 5 (new) [P]SECTION 5: European Authorities on benchmarkingNone
Article 58 a (new) [P]Article 58 a
Benchmarking

The European authorities on benchmarking referred to in Article 15 (1a) and the AI Office shall, in close cooperation with international partners, jointly develop cost-effective guidance and capabilities to measure and benchmark aspects of AI systems and AI components, and in particular of foundation models relevant to the compliance and enforcement of this Regulation based on the generally acknowledged state of the art, including as reflected in relevant harmonized standards.

Article 58 a
Benchmarking

The European authorities on benchmarking as mentioned in Article 15 (1a) along with the AI Office, in close collaboration with international partners, shall jointly develop cost-effective guidance and capabilities to measure and benchmark aspects of AI systems and AI components. This will particularly focus on foundation models relevant to the compliance and enforcement of this Regulation, based on the generally acknowledged state of the art, including as reflected in relevant harmonized standards.

Chapter 2: National Competent Authorities

Article 59
NumberingCommissionParliamentCouncilText proposed by the AI
CHAPTER 2CHAPTER 2
National competent authorities		CHAPTER 2
National competent authorities		CHAPTER 2
National competent authorities
Article 59 Article 59
Designation of national competent authorities		Article 59
Designation of national supervisory authorities		Article 59
Designation of national competent authorities		Article 59
Designation of national competent/supervisory authorities
Article 59 – paragraph 11. National competent authorities shall be established or designated by each Member State for the purpose of ensuring the application and implementation of this Regulation. National competent authorities shall be organised so as to safeguard the objectivity and impartiality of their activities and tasks.1. Each Member State shall designate one national supervisory authority, which shall be organised so as to safeguard the objectivity and impartiality of its activities and tasks by …[three months after the date of entry into force of this Regulation].deleted1. Each Member State shall establish or designate a national competent authority or supervisory authority for the purpose of ensuring the application and implementation of this Regulation. This authority shall be organised so as to safeguard the objectivity and impartiality of its activities and tasks.
Article 59 – paragraph 22. Each Member State shall designate a national supervisory authority among the national competent authorities. The national supervisory authority shall act as notifying authority and market surveillance authority unless a Member State has organisational and administrative reasons to designate more than one authority.2. The national supervisory authority shall ensure the application and implementation of this Regulation. With regard to high-risk AI systems, related to products to which legal acts listed in Annex II apply, the competent authorities designated under those legal acts shall continue to lead the administrative procedures. However, to the extent a case involves aspects exclusively covered by this Regulation, those competent authorities shall be bound by the measures related to those aspects issued by the national supervisory authority designated under this Regulation. The national supervisory authority shall act as market surveillance authority.2. Each Member State shall establish or designate at least one notifying authority and at least one market surveillance authority for the purpose of this Regulation as national competent authorities. These national competent authorities shall be organised so as to safeguard the priniciples of objectivity and impartiality of their activities and tasks. Provided that those prinicples are respected, such activities and tasks may be performed by one or several designated authorities, in accordance with the organisational needs of the Member State.2. Each Member State shall designate a national supervisory authority among the national competent authorities. This national supervisory authority shall act as the notifying authority and market surveillance authority, ensuring the application and implementation of this Regulation. In relation to high-risk AI systems, the competent authorities designated under the legal acts listed in Annex II shall continue to lead the administrative procedures. However, if a case involves aspects exclusively covered by this Regulation, those competent authorities shall be bound by the measures related to those aspects issued by the national supervisory authority. Provided that the principles of objectivity and impartiality are respected, such activities and tasks may be performed by one or several designated authorities, in accordance with the organisational and administrative needs of the Member State.
Article 59 – paragraph 33. Member States shall inform the Commission of their designation or designations and, where applicable, the reasons for designating more than one authority.3. Member States shall make publicly available and communicate to the AI Office and the Commission the national supervisory authority and information on how it can be contacted, by… [three months after the date of entry into force of this Regulation]. The national supervisory authority shall act as single point of contact for this Regulation and should be contactable though electronic communications means.3. Member States shall inform the Commission of their designation or designations.3. Member States shall inform the Commission of their designation or designations. They shall also make publicly available and communicate to the AI Office and the Commission the national supervisory authority and information on how it can be contacted, within three months after the date of entry into force of this Regulation. The national supervisory authority shall act as a single point of contact for this Regulation and should be contactable through electronic communications means. Where applicable, Member States should provide the reasons for designating more than one authority.
Article 59 – paragraph 44. Member States shall ensure that national competent authorities are provided with adequate financial and human resources to fulfil their tasks under this Regulation. In particular, national competent authorities shall have a sufficient number of personnel permanently available whose competences and expertise shall include an in-depth understanding of artificial intelligence technologies, data and data computing, fundamental rights, health and safety risks and knowledge of existing standards and legal requirements.4. Member States shall ensure that the national supervisory authority is provided with adequate technical, financial and human resources, and infrastructure to fulfil their tasks effectively under this Regulation. In particular, the national supervisory authority shall have a sufficient number of personnel permanently available whose competences and expertise shall include an in-depth understanding of artificial intelligence technologies, data and data computing, personal data protection, cybersecurity, competition law, fundamental rights, health and safety risks and knowledge of existing standards and legal requirements. Member States shall assess and, if deemed necessary, update competence and resource requirements referred to in this paragraph on an annual basis.4. Member States shall ensure that national competent authorities are provided with adequate financial resources, technical equipment and well qualified human resources to effectively fulfil their tasks under this Regulation.4. Member States shall ensure that national competent authorities, also referred to as the national supervisory authority, are provided with adequate financial resources, technical equipment, human resources, and infrastructure to effectively fulfil their tasks under this Regulation. In particular, these authorities shall have a sufficient number of well-qualified personnel permanently available whose competences and expertise shall include an in-depth understanding of artificial intelligence technologies, data and data computing, personal data protection, cybersecurity, competition law, fundamental rights, health and safety risks and knowledge of existing standards and legal requirements. Member States shall assess and, if deemed necessary, update competence and resource requirements referred to in this paragraph on an annual basis.
Article 59 – paragraph 4a (new)4a. Each national supervisory authority shall exercise their powers and carry out their duties independently, impartially and without bias. The members of each national supervisory authority, in the performance of their tasks and exercise of their powers under this Regulation, shall neither seek nor take instructions from any body and shall refrain from any action incompatible with their duties.Each national supervisory authority is required to exercise their powers and perform their duties independently, impartially, and without bias. The members of each national supervisory authority should not seek or take instructions from any body while performing their tasks and exercising their powers under this Regulation. They should also avoid any action that is incompatible with their duties.
Article 59 – paragraph 4b (new)4b. National supervisory authorities shall satisfy the minimum cybersecurity requirements set out for public administration entities identified as operators of essential services pursuant to Directive (EU) 2022/2555.National supervisory authorities shall ensure compliance with the minimum cybersecurity requirements established for public administration entities identified as operators of essential services in accordance with Directive (EU) 2022/2555.
Article 59 – paragraph 4c (new)4c. When performing their tasks, the national supervisory authority shall act in compliance with the confidentiality obligations set out in Article 70.When performing their tasks, the national supervisory authority shall act in accordance with the confidentiality obligations as stipulated in Article 70.
Article 59 – paragraph 55. Member States shall report to the Commission on an annual basis on the status of the financial and human resources of the national competent authorities with an assessment of their adequacy. The Commission shall transmit that information to the Board for discussion and possible recommendations.5. Member States shall report to the Commission on an annual basis on the status of the financial and human resources of the national supervisory authority with an assessment of their adequacy. The Commission shall transmit that information to the AI Office for discussion and possible recommendations5. By [one year after entry into force of this Regulation] and afterwards six months before the deadline referred to in Article 84(2) Member States shall inform the Commission on the status of the financial resources, technical equipment and human resources of the national competent authorities with an assessment of their adequacy. The Commission shall transmit that information to the Board for discussion and possible recommendations.5. Member States shall report to the Commission on an annual basis, starting from [one year after entry into force of this Regulation], and afterwards six months before the deadline referred to in Article 84(2), on the status of the financial resources, technical equipment and human resources of the national competent authorities or supervisory authority with an assessment of their adequacy. The Commission shall transmit that information to the Board or AI Office for discussion and possible recommendations.
Article 59 – paragraph 66. The Commission shall facilitate the exchange of experience between national competent authorities.deleted6. The Commission shall facilitate the exchange of experience between national competent authorities.6. The Commission shall facilitate the exchange of experience between national competent authorities.
Article 59 – paragraph 77. National competent authorities may provide guidance and advice on the implementation of this Regulation, including to small-scale providers. Whenever national competent authorities intend to provide guidance and advice with regard to an AI system in areas covered by other Union legislation, the competent national authorities under that Union legislation shall be consulted, as appropriate. Member States may also establish one central contact point for communication with operators.7. National supervisory authorities may provide guidance and advice on the implementation of this Regulation, including to SMEs and start-ups, taking into account the AI Office or the Commission’s guidance and advice. Whenever the national supervisory authority intend to provide guidance and advice with regard to an AI system in areas covered by other Union law, the guidance shall be drafted in consultation with the competent national authorities under that Union law, as appropriate.7. National competent authorities may provide advice on the implementation of this Regulation, including tailored to SME providers, including start-ups. Whenever national competent authorities intend to provide guidance and advice with regard to an AI system in areas covered by other Union legislation, the competent national authorities under that Union legislation shall be consulted, as appropriate. Member States may also establish one central contact point for communication with operators7. National competent authorities or supervisory authorities may provide guidance and advice on the implementation of this Regulation, including to small-scale providers, SMEs, and start-ups, taking into account the AI Office or the Commission’s guidance and advice. Whenever these authorities intend to provide guidance and advice with regard to an AI system in areas covered by other Union legislation or law, the guidance shall be drafted in consultation with the competent national authorities under that Union legislation or law, as appropriate. Member States may also establish one central contact point for communication with operators.
Article 59 – paragraph 88. When Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as the competent authority for their supervision.8. When Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as the competent authority for their supervision and coordination.8. When Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as the competent authority for their supervision.8. When Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as the competent authority for their supervision.
Article 59a (new)Article 59a
Cooperation mechanism between national supervisory authorities in cases involving two or more Member States

1. Each national supervisory authority shall perform its tasks and powers conferred on in accordance with this Regulation on the territory of its own Member State.

2. In the event of a case involving two or more national supervisory authorities, the national supervisory authority of the Member State where the infringement took place shall be considered the lead supervisory authority.

3. In the cases referred to in paragraph 2, the relevant supervisory authorities shall cooperate and exchange all relevant information in due time. National supervisory authorities shall cooperate in order to reach a consensus.

Article 59a
Cooperation mechanism between national supervisory authorities in cases involving two or more Member States

1. Each national supervisory authority shall perform its tasks and powers conferred on in accordance with this Regulation on the territory of its own Member State.

2. In the event of a case involving two or more national supervisory authorities, the national supervisory authority of the Member State where the infringement took place shall be considered the lead supervisory authority.

3. In the cases referred to in paragraph 2, the relevant supervisory authorities shall cooperate and exchange all relevant information in due time. National supervisory authorities shall cooperate in order to reach a consensus.

TITLE VII: EU Database for Stand-Alone High-Risk AI Systems

Article 60
NumberingCommissionParliamentCouncilText proposed by the AI
Title VIITITLE VII
EU DATABASE FOR STAND-ALONE HIGH-RISK AI SYSTEMS		TITLE VII
EU DATABASE FOR HIGH-RISK AI SYSTEMS		TITLE VII
EU DATABASE FOR HIGH-RISK AI SYSTEMS LISTED IN ANNEX III		TITLE VII
EU DATABASE FOR STAND-ALONE AND OTHER HIGH-RISK AI SYSTEMS LISTED IN ANNEX III
Article 60 Article 60
EU database for stand-alone high-risk AI systems		Article 60
EU database for high-risk AI systems		Article 60
EU database for high-risk AI systems listed in Annex III		Article 60
EU database for high-risk AI systems, including stand-alone systems, as listed in Annex III
Article 60 – paragraph 11. The Commission shall, in collaboration with the Member States, set up and maintain a EU database containing information referred to in paragraph 2 concerning high-risk AI systems referred to in Article 6(2) which are registered in accordance with Article 51.1. The Commission shall, in collaboration with the Member States, set up and maintain a public EU database containing information referred to in paragraphs 2 and 2a concerning high-risk AI systems referred to in Article 6 (2) which are registered in accordance with Article 51.1. The Commission shall, in collaboration with the Member States, set up and maintain a EU database containing information referred to in paragraph 2 concerning relevant operators and high-risk AI systems listed in Annex III which are registered in accordance with Articles 51 and 54a. When setting the fuctional specifications of such database, the Commission shall consult the AI Board.1. The Commission shall, in collaboration with the Member States, set up and maintain a public EU database containing information referred to in paragraphs 2 and 2a concerning relevant operators and high-risk AI systems referred to in Article 6(2) and listed in Annex III, which are registered in accordance with Articles 51 and 54a. When setting the functional specifications of such database, the Commission shall consult the AI Board.
Article 60 – paragraph 22. The data listed in Annex VIII shall be entered into the EU database by the providers. The Commission shall provide them with technical and administrative suppor2. The data listed in Annex VIII, Section A, shall be entered into the EU database by the providers.2. The data listed in Annex VIII, Part I, shall be entered into the EU database by the providers, authorised representatives and relevant users, as applicable, upon their registration. The data listed in Annex VIII, Part II, 1 to 11, shall be entered into the EU database by the providers, or where applicable by the authorised representative, in accordance with Article 51. The data referred in Annex VIII, Part II, 12 shall be automatically generated by the database based on the information provided by relevant users pursuant to Article 51(2). The data listed in Annex VIIIa shall be entered into the database by the prospective providers or providers in accordance with Article 54a.2. The data listed in Annex VIII, as specified in Section A and Part I, shall be entered into the EU database by the providers, authorised representatives and relevant users, as applicable, upon their registration. The data listed in Annex VIII, Part II, 1 to 11, shall be entered into the EU database by the providers, or where applicable by the authorised representative, in accordance with Article 51. The data referred in Annex VIII, Part II, 12 shall be automatically generated by the database based on the information provided by relevant users pursuant to Article 51(2). The data listed in Annex VIIIa shall be entered into the database by the prospective providers or providers in accordance with Article 54a. The Commission shall provide them with technical and administrative support.
Article 60 – paragraph 2a (new)2a. The data listed in Annex VIII, Section B, shall be entered into the EU database by the deployers who are or who act on behalf of public authorities or Union institutions, bodies, offices or agencies and by deployers who are undertakings referred to in Article 51(1a) and (1b).The data specified in Annex VIII, Section B, shall be entered into the EU database by the deployers who are or who act on behalf of public authorities or Union institutions, bodies, offices or agencies, as well as by deployers who are undertakings referred to in Article 51(1a) and (1b).
Article 60 – paragraph 33. Information contained in the EU database shall be accessible to the public.3. Information contained in the EU database shall be freely available to the public, user-friendly and accessible, easily navigable and machine-readable containing structured digital data based on a standardised protocol.deleted3. Information contained in the EU database shall be freely available to the public, user-friendly and accessible, easily navigable and machine-readable containing structured digital data based on a standardised protocol.
Article 60 – paragraph 44. The EU database shall contain personal data only insofar as necessary for collecting and processing information in accordance with this Regulation. That information shall include the names and contact details of natural persons who are responsible for registering the system and have the legal authority to represent the provider.4. The EU database shall contain personal data only insofar as necessary for collecting and processing information in accordance with this Regulation. That information shall include the names and contact details of natural persons who are responsible for registering the system and have the legal authority to represent the provider or the deployer which is a public authority or Union institution, body, office or agency or a deployer acting on their behalf or a deployer which is an undertaking referred to in Article 51(1a)(b) and (1b)4. The EU database shall contain no personal data, except for the information listed in Annex VIII, and shall be without prejudice to Article 70.4. The EU database shall contain personal data only insofar as necessary for collecting and processing information in accordance with this Regulation, and shall be without prejudice to Article 70. That information shall include the names and contact details of natural persons who are responsible for registering the system and have the legal authority to represent the provider or the deployer which is a public authority or Union institution, body, office or agency or a deployer acting on their behalf or a deployer which is an undertaking referred to in Article 51(1a)(b) and (1b). Any other personal data shall be limited to the information listed in Annex VIII.
Article 60 – paragraph 55. The Commission shall be the controller of the EU database. It shall also ensure to providers adequate technical and administrative support.5. The Commission shall be the controller of the EU database. It shall also ensure to providers and deployers adequate technical and administrative support.

The database shall comply with the accessibility requirements of Annex I to Directive (EU) 2019/882.		5. The Commission shall be the controller of the EU database. It shall make available to providers, prospective providers and users adequate technical and administrative support.5. The Commission shall be the controller of the EU database. It shall also ensure to providers, prospective providers, deployers, and users adequate technical and administrative support. The database shall comply with the accessibility requirements of Annex I to Directive (EU) 2019/882.
Article 60 – paragraph 5a5a. Information contained in the EU database registered in accordance with Article 51 shall be accessible to the public. The information registered in accordance with Article 54a shall be accessible only to market surveillance authorites and the Commission, unless the prospective provider or provider has given consent for making this information also accessible the public.Information contained in the EU database registered in accordance with Article 51 shall be accessible to the public. The information registered in accordance with Article 54a shall be accessible only to market surveillance authorities and the Commission, unless the prospective provider or provider has given consent for making this information also accessible to the public.

TITLE VIII: Post-Market Monitoring, Information Sharing, Market Surveillance

Chapter 1: Post-Market Monitoring

Article 61
NumberingCommissionParliamentCouncilText proposed by the AI
Article 61Article 61
Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems		Article 61
Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems		Article 61
Post-market monitoring by providers and post-market monitoring plan for high-risk AI system		Article 61
Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems
Article 61 – paragraph 11. Providers shall establish and document a post-market monitoring system in a manner that is proportionate to the nature of the artificial intelligence technologies and the risks of the high-risk AI system.1. Providers shall establish and document a post-market monitoring system in a manner that is proportionate to the nature of the artificial intelligence technologies and the risks of the high-risk AI system.1. Providers shall establish and document a post-market monitoring system in a manner that is proportionate to the risks of the high-risk AI systemProviders shall establish and document a post-market monitoring system in a manner that is proportionate to the nature of the artificial intelligence technologies and the risks of the high-risk AI system.
Article 61 – paragraph 22. The post-market monitoring system shall actively and systematically collect, document and analyse relevant data provided by users or collected through other sources on the performance of high-risk AI systems throughout their lifetime, and allow the provider to evaluate the continuous compliance of AI systems with the requirements set out in Title III, Chapter 2.2. The post-market monitoring system shall actively and systematically collect, document and analyse relevant data provided by deployers or collected through other sources on the performance of high-risk AI systems throughout their lifetime, and allow the provider to evaluate the continuous compliance of AI systems with the requirements set out in Title III, Chapter 2. Where relevant, post-market monitoring shall include an analysis of the interaction with other AI systems environment, including other devices and software taking into account the rules applicable from areas such as data protection, intellectual property rights and competition law. 2. In order to allow the provider to evaluate the compliance of AI systems with the requirements set out in Title III, Chapter 2 throughout their life cycle, the post-market monitoring system shall collect, document and analyse relevant data, which may be provided by users or which may be collected through other sources on the performance of high-risk AI systems. This obligation shall not cover sensitive operational data of users of AI systems which are law enforcement authorities.2. The post-market monitoring system shall actively and systematically collect, document and analyse relevant data, which may be provided by users or deployers, or collected through other sources on the performance of high-risk AI systems throughout their lifetime. This will allow the provider to evaluate the continuous compliance of AI systems with the requirements set out in Title III, Chapter 2. The post-market monitoring shall include an analysis of the interaction with other AI systems environment, including other devices and software, taking into account the rules applicable from areas such as data protection, intellectual property rights and competition law. However, this obligation shall not cover sensitive operational data of users of AI systems which are law enforcement authorities.
Article 61 – paragraph 33. The post-market monitoring system shall be based on a post-market monitoring plan. The post-market monitoring plan shall be part of the technical documentation referred to in Annex IV. The Commission shall adopt an implementing act laying down detailed provisions establishing a template for the post-market monitoring plan and the list of elements to be included in the plan.3. The post-market monitoring system shall be based on a post-market monitoring plan. The post-market monitoring plan shall be part of the technical documentation referred to in Annex IV. The Commission shall adopt an implementing act laying down detailed provisions establishing a template for the post-market monitoring plan and the list of elements to be included in the plan by [twelve months after the date of entry into force of this Regulation].3. The post-market monitoring system shall be based on a post-market monitoring plan. The post-market monitoring plan shall be part of the technical documentation referred to in Annex IV. The Commission shall adopt an implementing act laying down detailed provisions establishing a template for the post-market monitoring plan and the list of elements to be included in the plan3. The post-market monitoring system shall be based on a post-market monitoring plan. The post-market monitoring plan shall be part of the technical documentation referred to in Annex IV. The Commission shall adopt an implementing act laying down detailed provisions establishing a template for the post-market monitoring plan and the list of elements to be included in the plan by [twelve months after the date of entry into force of this Regulation].
Article 61 – paragraph 44.For high-risk AI systems covered by the legal acts referred to in Annex II, where a post-market monitoring system and plan is already established under that legislation, the elements described in paragraphs 1, 2 and 3 shall be integrated into that system and plan as appropriate.

The first subparagraph shall also apply to high-risk AI systems referred to in point 5(b) of Annex III placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU.		4.For high-risk AI systems covered by the legal acts referred to in Annex II, where a post-market monitoring system and plan is already established under that legislation, the elements described in paragraphs 1, 2 and 3 shall be integrated into that system and plan as appropriate.

The first subparagraph shall also apply to high-risk AI systems referred to in point 5(b) of Annex III placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU.		4. For high-risk AI systems covered by the legal acts referred to in Annex II, Section A, where a post-market monitoring system and plan is already established under that legislation, the post-market monitoring documentation as prepared under that legislation shall be deemed sufficient, provided that th template referred to paragraph 3 is used.

The first subparagraph shall also apply high-risk AI systems referred to in point 5 of Annex III placed on the market or put into service by financial institutions that are subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation.		4. For high-risk AI systems covered by the legal acts referred to in Annex II and Annex II, Section A, where a post-market monitoring system and plan is already established under that legislation, the elements described in paragraphs 1, 2 and 3 shall be integrated into that system and plan as appropriate, and the post-market monitoring documentation as prepared under that legislation shall be deemed sufficient, provided that the template referred to paragraph 3 is used.

The first subparagraph shall also apply to high-risk AI systems referred to in point 5(b) of Annex III and point 5 of Annex III placed on the market or put into service by credit institutions regulated by Directive 2013/36/EU and financial institutions that are subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation.

Chapter 2: Sharing of Information on Incidents and Malfunctioning

Article 62
NumeringCommissionParliamentCouncilText proposed by the AI
CHAPTER 2Chapter 2
Sharing of information on incidents and malfunctioning		Chapter 2
Sharing of information on incidents and malfunctioning		Chapter 2
Sharing of information on serious incidents 		Chapter 2
Sharing of information on incidents, serious incidents and malfunctioning
Article 62Article 62
Reporting of serious incidents and of malfunctioning		Article 62
Reporting of serious incidents		Article 62
Reporting of serious incidents		Article 62
Reporting of serious incidents and malfunctioning
Article 62 – paragraph 1 – introductory part1. Providers of high-risk AI systems placed on the Union market shall report any serious incident or any malfunctioning of those systems which constitutes a breach of obligations under Union law intended to protect fundamental rights to the market surveillance authorities of the Member States where that incident or breach occurred.1. Providers and, where deployers have identified a serious incident, deployers of high-risk AI systems placed on the Union market shall report any serious incident of those systems which constitutes a breach of obligations under Union law intended to protect fundamental rights to the national supervisory authority of the Member States where that incident or breach occurred.1. Providers of high-risk AI systems placed on the Union market shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred.
1. Providers and, where deployers have identified a serious incident, deployers of high-risk AI systems placed on the Union market shall report any serious incident or any malfunctioning of those systems which constitutes a breach of obligations under Union law intended to protect fundamental rights to the market surveillance authorities or the national supervisory authority of the Member States where that incident or breach occurred.
Article 62 – paragraph 1 – subparagraph 1Such notification shall be made immediately after the provider has established a causal link between the AI system and the incident or malfunctioning or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the providers becomes aware of the serious incident or of the malfunctioning.Such notification shall be made without undue delay after the provider, or, where applicable the deployer, has established a causal link between the AI system and the incident or the reasonable likelihood of such a link, and, in any event, not later than 72 hours after the provider or, where applicable, the deployer becomes aware of the serious incident.Such notification shall be made immediately after the provider has established a causal link between the AI system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the providers becomes aware of the serious incidentSuch notification shall be made without undue delay and immediately after the provider, or, where applicable the deployer, has established a causal link between the AI system and the serious incident or malfunctioning or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the provider or, where applicable, the deployer becomes aware of the serious incident or of the malfunctioning.
Article 62 – paragraph 1a (new)1a. Upon establishing a causal link between the AI system and the serious incident or the reasonable likelihood of such a link, providers shall take appropriate corrective actions pursuant to Article 21.Upon identifying a causal relationship between the AI system and a serious incident, or a reasonable probability of such a link, providers are required to undertake suitable corrective measures in accordance with Article 21.
Article 62 – paragraph 22. Upon receiving a notification related to a breach of obligations under Union law intended to protect fundamental rights, the market surveillance authority shall inform the national public authorities or bodies referred to in Article 64(3). The Commission shall develop dedicated guidance to facilitate compliance with the obligations set out in paragraph 1. That guidance shall be issued 12 months after the entry into force of this Regulation, at the latest.2. Upon receiving a notification related to a breach of obligations under Union law intended to protect fundamental rights, the national supervisory authority shall inform the national public authorities or bodies referred to in Article 64(3). The Commission shall develop dedicated guidance to facilitate compliance with the obligations set out in paragraph 1. That guidance shall be issued by [the entry into force of this Regulation] and shall be assessed regularly.2. Upon receiving a notification related to a serious incident referred to in Article 3(44)(c), the relevant market surveillance authority shall inform the national public authorities or bodies referred to in Article 64(3). The Commission shall develop dedicated guidance to facilitate compliance with the obligations set out in paragraph 1. That guidance shall be issued 12 months after the entry into force of this Regulation, at the latest.2. Upon receiving a notification related to a breach of obligations under Union law intended to protect fundamental rights or a serious incident referred to in Article 3(44)(c), the relevant market surveillance authority or the national supervisory authority shall inform the national public authorities or bodies referred to in Article 64(3). The Commission shall develop dedicated guidance to facilitate compliance with the obligations set out in paragraph 1. That guidance shall be issued 12 months after the entry into force of this Regulation, at the latest, and shall be assessed regularly.
Article 62 – paragraph 2a (new)2a. The national supervisory authority shall take appropriate measures within 7 days from the date it received the notification referred to in paragraph 1. Where the infringement takes place or is likely to take place in other Member States, the national supervisory authority shall notify the AI Office and the relevant national supervisory authorities of these Member States.The national supervisory authority is required to take appropriate measures within a 7-day period from the date of receiving the notification mentioned in paragraph 1. In instances where the infringement occurs or is anticipated to occur in other Member States, the national supervisory authority is obligated to notify both the AI Office and the relevant national supervisory authorities of these Member States.
Article 62 – paragraph 33. For high-risk AI systems referred to in point 5(b) of Annex III which are placed on the market or put into service by providers that are credit institutions regulated by Directive 2013/36/EU and for high-risk AI systems which are safety components of devices, or are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746, the notification of serious incidents or malfunctioning shall be limited to those that that constitute a breach of obligations under Union law intended to protect fundamental rights.3. For high-risk AI systems referred to in Annex III that are placed on the market or put into service by providers that are subject to Union legislative instruments laying down reporting obligations equivalent to those set out in this Regulation, the notification of serious incidents constituting a breach of fundamental rights under Union law shall be transferred to the national supervisory authority.3. For high-risk AI systems referred to in point 5 of Annex III which are placed on the market or put into service by providers that are financial institutions that are subject to requirements regarding their internal governance, arrangements or processes under Union financial services legislation, the notification of serious incidents shall be limited to those referred to in Article 3(44)(c).3. For high-risk AI systems referred to in point 5(b) of Annex III, which are placed on the market or put into service by providers that are credit institutions regulated by Directive 2013/36/EU or financial institutions subject to Union financial services legislation, and for high-risk AI systems which are safety components of devices, or are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746, the notification of serious incidents or malfunctioning shall be limited to those that constitute a breach of obligations under Union law intended to protect fundamental rights. These notifications shall be transferred to the national supervisory authority in accordance with Union legislative instruments laying down reporting obligations equivalent to those set out in this Regulation.
Article 62 – paragraph 4 (new)4. For high-risk AI systems which are safety components of devices, or are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746 the notification of serious incidents shall be limited to those referred to in Article 3(44)(c) and be made to the national competent authority chosen for this purpose by the Member States where that incident occurred.For high-risk AI systems that are safety components of devices, or are themselves devices, covered by Regulation (EU) 2017/745 and Regulation (EU) 2017/746, the notification of serious incidents should be limited to those specified in Article 3(44)(c). These notifications should be made to the national competent authority chosen for this purpose by the Member States where the incident occurred.
Article 62 – paragraph 3a (new)3a. National supervisory authorities shall on an annual basis notify the AI Office of the serious incidents reported to them in accordance with this Article.National supervisory authorities are required to annually report to the AI Office about the serious incidents that have been notified to them in accordance with this Article.

Chapter 3: Enforcement

Article 63
NumberingCommissionParliamentCouncilText proposed by the AI
Article 63Article 63
Market surveillance and control of AI systems in the Union market		Article 63
Market surveillance and control of AI systems in the Union market		Article 63
Market surveillance and control of AI systems in the Union market		Article 63
Market surveillance and control of AI systems in the Union market
Article 63 – paragraph 1 – introductory part1. Regulation (EU) 2019/1020 shall apply to AI systems covered by this Regulation. However, for the purpose of the effective enforcement of this Regulation:1. Regulation (EU) 2019/1020 shall apply to AI systems and foundation models covered by this Regulation. However, for the purpose of the effective enforcement of this Regulation:1. Regulation (EU) 2019/1020 shall apply to AI systems covered by this Regulation. However, for the purpose of the effective enforcement of this Regulation:1. Regulation (EU) 2019/1020 shall apply to AI systems and foundation models covered by this Regulation. However, for the purpose of the effective enforcement of this Regulation:
Article 63 – paragraph 1 – point a(a) any reference to an economic operator under Regulation (EU) 2019/1020 shall be understood as including all operators identified in Title III, Chapter 3 of this Regulation;(a) any reference to an economic operator under Regulation (EU) 2019/1020 shall be understood as including all operators identified in Title III, Chapter 3 of this Regulation;(a) any reference to an economic operator under Regulation (EU) 2019/1020 shall be understood as including all operators identified in Article 2 of this Regulation;(a) any reference to an economic operator under Regulation (EU) 2019/1020 shall be understood as including all operators identified in Title III, Chapter 3 and Article 2 of this Regulation;
Article 63 – paragraph 1 – point b(b) any reference to a product under Regulation (EU) 2019/1020 shall be understood as including all AI systems falling within the scope of this Regulation.(b) any reference to a product under Regulation (EU) 2019/1020 shall be understood as including all AI systems falling within the scope of this Regulation.(b) any reference to a product under Regulation (EU) 2019/1020 shall be understood as including all AI systems falling within the scope of this Regulation.(b) any reference to a product under Regulation (EU) 2019/1020 shall be understood as including all AI systems falling within the scope of this Regulation.
Article 63 – paragraph 1 – point ba (new)(ba) the national supervisory authorities shall act as market surveillance authorities under this Regulation and have the same powers and obligations as market surveillance authorities under Regulation (EU) 2019/1020.The national supervisory authorities shall serve as market surveillance authorities in accordance with this Regulation, possessing the same powers and obligations as market surveillance authorities under Regulation (EU) 2019/1020.
Article 63 – paragraph 22. The national supervisory authority shall report to the Commission on a regular basis the outcomes of relevant market surveillance activities. The national supervisory authority shall report, without delay, to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union law on competition rules2. The national supervisory authority shall report to the Commission and the AI Office annually the outcomes of relevant market surveillance activities. The national supervisory authority shall report, without delay, to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union law on competition rules2. As part of their reporting obligations under Article 34(4) of Regulation (EU) 2019/1020, the market surveillance authorities shall report to the Commission about the outcomes of relevant market surveillance activities under this Regulation.2. As part of their reporting obligations under Article 34(4) of Regulation (EU) 2019/1020, the national supervisory authority shall report to the Commission and the AI Office annually the outcomes of relevant market surveillance activities. The national supervisory authority shall also report, without delay, to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union law on competition rules.
Article 63 – paragraph 33. For high-risk AI systems, related to products to which legal acts listed in Annex II, section A apply, the market surveillance authority for the purposes of this Regulation shall be the authority responsible for market surveillance activities designated under those legal acts.3. For high-risk AI systems, related to products to which legal acts listed in Annex II, section A apply, the market surveillance authority for the purposes of this Regulation shall be the authority responsible for market surveillance activities designated under those legal acts.3. For high-risk AI systems, related to products to which legal acts listed in Annex II, section A apply, the market surveillance authority for the purposes of this Regulation shall be the authority responsible for market surveillance activities designated under those legal acts or, in justified circumstances and provided that coordination is ensured, another relevant authority identified by the Member State.

The procedures referred to in Articles 65, 66, 67 and 68 of this Regulation shall not apply to AI systems related to products, to which legal acts listed in Annex II, section A apply, when such legal acts already provide for procedures having the same objective. In such a case, these sectoral procedures shall apply instead.		3. For high-risk AI systems, related to products to which legal acts listed in Annex II, section A apply, the market surveillance authority for the purposes of this Regulation shall be the authority responsible for market surveillance activities designated under those legal acts. In justified circumstances and provided that coordination is ensured, another relevant authority identified by the Member State may also be considered.

The procedures referred to in Articles 65, 66, 67 and 68 of this Regulation shall not apply to AI systems related to products, to which legal acts listed in Annex II, section A apply, when such legal acts already provide for procedures having the same objective. In such a case, these sectoral procedures shall apply instead.
Article 63 – paragraph 3a (new)3a. For the purpose of ensuring the effective enforcement of this Regulation, national supervisory authorities may:
(a) carry out unannounced on-site and remote inspections of high-risk AI systems;
(b) acquire samples related to high-risk AI systems, including through remote inspections, to reverse-engineer the AI systems and to acquire evidence to identify non-compliance.		In order to ensure the effective enforcement of this Regulation, national supervisory authorities are permitted to:
(a) conduct unannounced on-site and remote inspections of high-risk AI systems;
(b) obtain samples related to high-risk AI systems, including through remote inspections, for the purpose of reverse-engineering the AI systems and gathering evidence to identify non-compliance.
Article 63 – paragraph 44. For AI systems placed on the market, put into service or used by financial institutions regulated by Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.4. For AI systems placed on the market, put into service or used by financial institutions regulated by Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.4. For high-risk AI systems placed on the market, put into service or used by financial institutions regulated by Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant national authority responsible for the financial supervision of those institutions under that legislation in so far as the placement on the market, putting into service or the use of the AI system is in direct connection with the provision of those financial services.

By way of a derogation from the previous subparagraph, in justified circumstances and provided that coordination is ensured, another relevant authority may be identified by the Member State as market surveillance authority for the purposes of this Regulation.

National market surveillance authorities supervising regulated credit institutions regulated under Directive 2013/36/EU, which are participating in the Single Supervisory Mechanism (SSM) established by Council Regulation No 1204/2013, should report, without delay, to the European Central Bank any information identified in the course of their market surveillance activities that may be of potential interest for the European Central Bank’s prudential supervisory tasks as specified in that Regulation.		4. For high-risk AI systems placed on the market, put into service or used by financial institutions regulated by Union legislation on financial services, the market surveillance authority for the purposes of this Regulation shall be the relevant authority responsible for the financial supervision of those institutions under that legislation.

This is applicable in so far as the placement on the market, putting into service or the use of the AI system is in direct connection with the provision of those financial services. In justified circumstances and provided that coordination is ensured, another relevant authority may be identified by the Member State as market surveillance authority for the purposes of this Regulation.

National market surveillance authorities supervising regulated credit institutions under Directive 2013/36/EU, participating in the Single Supervisory Mechanism (SSM) established by Council Regulation No 1204/2013, should report, without delay, to the European Central Bank any information identified in the course of their market surveillance activities that may be of potential interest for the European Central Bank’s prudential supervisory tasks as specified in that Regulation.
Article 63 – paragraph 55. For AI systems listed in point 1(a) in so far as the systems are used for law enforcement purposes, points 6 and 7 of Annex III, Member States shall designate as market surveillance authorities for the purposes of this Regulation either the competent data protection supervisory authorities under Directive (EU) 2016/680, or Regulation 2016/679 or the national competent authorities supervising the activities of the law enforcement, immigration or asylum authorities putting into service or using those systems.5. For AI systems that are used for law enforcement purposes, Member States shall designate as market surveillance authorities for the purposes of this Regulation the competent data protection supervisory authorities under Directive (EU) 2016/680.5. For high-risk AI systems listed in point 1(a) in so far as the systems are used for law enforcement purposes, points 6, 7 and 8 of Annex III, Member States shall designate as market surveillance authorities for the purposes of this Regulation either the national authorities supervising the activities of the law enforcement, border control, immigration, asylum or judicial authorities, or the competent data protection supervisory authorities under Directive (EU) 2016/680, or Regulation 2016/679. Market surveillance activities shall in no way affect the independence of judicial authorities or otherwise interfere with their activities when acting in their judicial capacity.5. For AI systems listed in point 1(a), particularly high-risk AI systems, in so far as the systems are used for law enforcement purposes, points 6, 7 and 8 of Annex III, Member States shall designate as market surveillance authorities for the purposes of this Regulation either the competent data protection supervisory authorities under Directive (EU) 2016/680, or Regulation 2016/679, or the national competent authorities supervising the activities of the law enforcement, border control, immigration, asylum or judicial authorities putting into service or using those systems. Market surveillance activities shall in no way affect the independence of judicial authorities or otherwise interfere with their activities when acting in their judicial capacity.
Article 63 – paragraph 66. Where Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as their market surveillance authority.6. Where Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as their market surveillance authority.6. Where Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as their market surveillance authority.6. Where Union institutions, agencies and bodies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as their market surveillance authority.
Article 63 – paragraph 77. Member States shall facilitate the coordination between market surveillance authorities designated under this Regulation and other relevant national authorities or bodies which supervise the application of Union harmonisation legislation listed in Annex II or other Union legislation that might be relevant for the high-risk AI systems referred to in Annex III.7. National supervisory authorities designated under this Regulation shall coordinate with other relevant national authorities or bodies which supervise the application of Union harmonisation law listed in Annex II or other Union law that might be relevant for the high-risk AI systems referred to in Annex III.7. Member States shall facilitate the coordination between market surveillance authorities designated under this Regulation and other relevant national authorities or bodies which supervise the application of Union harmonisation legislation listed in Annex II or other Union legislation that might be relevant for the high-risk AI systems referred to in Annex III.7. Member States shall facilitate the coordination between the designated national supervisory authorities and market surveillance authorities under this Regulation and other relevant national authorities or bodies which supervise the application of Union harmonisation legislation or law listed in Annex II or other Union legislation that might be relevant for the high-risk AI systems referred to in Annex III.
Article 63 – paragraph 8 (new)8. Without prejudice to powers provided under Regulation (EU) 2019/1020, and where relevant and limited to what is necessary to fulfil their tasks, the market surveillance authorities shall be granted full access by the provider to the documentation as well as the training, validation and testing datasets used for the development of the high-risk AI system, including, where appropriate and subject to security safeguards, through application programming interfaces (‘API’) or other relevant technical means and tools enabling remote access.Without prejudice to powers provided under Regulation (EU) 2019/1020, the market surveillance authorities shall be granted full access by the provider to the documentation as well as the training, validation and testing datasets used for the development of the high-risk AI system. This access should be relevant and limited to what is necessary to fulfil their tasks, including, where appropriate and subject to security safeguards, through application programming interfaces (‘API’) or other relevant technical means and tools enabling remote access.
Article 63 – paragraph 9 (new)9. Market surveillance authorities shall be granted access to the source code of the high-risk AI system upon a reasoned request and only when the following cumulative conditions are fulfilled:
a) Access to source code is necessary to assess the conformity of a high-risk AI system with the requirements set out in Title III, Chapter 2, and
b) testing/auditing procedures and verifications based on the data and documentation provided by the provider have been exhausted or proved insufficient. 		Market surveillance authorities shall be granted access to the source code of the high-risk AI system upon a reasoned request, but only under the following cumulative conditions: a) Access to the source code is deemed necessary to assess the conformity of a high-risk AI system with the requirements set out in Title III, Chapter 2, and b) all testing/auditing procedures and verifications based on the data and documentation provided by the provider have been exhausted or have proven to be insufficient.
Article 63 – paragraph 10 (new)10. Any information and documentation obtained by market surveillance authorities shall be treated in compliance with the confidentiality obligations set out in Article 70.None
Article 63 – paragraph 11 (new)11. Complaints to the relevant market surveillance authority can be submitted by any natural or legal person having grounds to consider that there has been an infringement of the provisions of this Regulation.

In accordance with Article 11(3)(e) and (7)(a) of Regulation (EU) 2019/1020, complaints shall be taken into account for the purpose of conducting the market surveillance activities and be handled in line with the dedicated procedures established therefore by the market surveillance authorities		Any natural or legal person who believes that there has been a violation of the provisions of this Regulation can submit complaints to the appropriate market surveillance authority. In line with Article 11(3)(e) and (7)(a) of Regulation (EU) 2019/1020, these complaints will be considered for the purpose of carrying out market surveillance activities and will be managed according to the specific procedures established by the market surveillance authorities.
Article 63a (new)Article 63a
Supervision of testing in real world conditions by market surveillance authorities

1. Market surveillance authorities shall have the competence and powers to ensure that testing
in real world conditions is in accordance with this Regulation.

2. Where testing in real world conditions is conducted for AI systems that are supervised within an AI regulatory sandbox under Article 54, the market surveillance authorities shall verify the compliance with the provisions of Article 54a as part of their supervisory role for the AI regulatory sandbox. Those authorities may, as appropriate, allow the testing in real world conditions to be conducted by the provider or prospective provider in derogation to the conditions set out in Article 54a(4) (f) and (g).

3. Where a market surveillance authority has been informed by the prospective provider, the provider or any third party of a serious incident or has other grounds for considering that the conditions set out in Articles 54a and 54b are not met, it may take any of the following decisions on its territory, as appropriate:
(a) suspend or terminate the testing in real world conditions;
(b) require the provider or prospective provider and user(s) to modify any aspect of the testing in real world conditions.

4. Where a market surveillance authority has taken a decision referred to in paragraph 3 of this Article or has issued an objection within the meaning of Article 54a(4)(b), the decision or the objection shall indicate the grounds thereof and the modalities and conditions for the provider or prospective provider to challenge the decision or objection.

5. Where applicable, where a market surveillance authority has taken a decision referred to in paragraph 3 of this Article, it shall communicate the grounds therefor to the market surveillance authorities of the other Member States in which the AI system has been tested in accordance with the testing plan.
Article 63a
Supervision of testing in real world conditions by market surveillance authorities

1. Market surveillance authorities shall have the competence and powers to ensure that testing in real world conditions is in accordance with this Regulation.

2. In cases where testing in real world conditions is conducted for AI systems that are supervised within an AI regulatory sandbox under Article 54, the market surveillance authorities shall verify the compliance with the provisions of Article 54a as part of their supervisory role for the AI regulatory sandbox. The authorities may, as appropriate, permit the testing in real world conditions to be conducted by the provider or prospective provider in derogation to the conditions set out in Article 54a(4) (f) and (g).

3. If a market surveillance authority has been informed by the prospective provider, the provider or any third party of a serious incident or has other grounds for considering that the conditions set out in Articles 54a and 54b are not met, it may take any of the following decisions on its territory, as appropriate:
(a) suspend or terminate the testing in real world conditions;
(b) require the provider or prospective provider and user(s) to modify any aspect of the testing in real world conditions.

4. If a market surveillance authority has taken a decision referred to in paragraph 3 of this Article or has issued an objection within the meaning of Article 54a(4)(b), the decision or the objection shall indicate the grounds thereof and the modalities and conditions for the provider or prospective provider to challenge the decision or objection.

5. Where applicable, if a market surveillance authority has taken a decision referred to in paragraph 3 of this Article, it shall communicate the grounds therefor to the market surveillance authorities of the other Member States in which the AI system has been tested in accordance with the testing plan.
Article 64
NumberingCommissionParliamentCouncilText proposed by the AI
Article 64Article 64
Access to data and documentation		Article 64
Access to data and documentation		Article 64
Powers of authorities protecting fundamental rights		Article 64
Access to data, documentation and powers of authorities protecting fundamental rights
Article 64 – paragraph 11. Access to data and documentation in the context of their activities, the market surveillance authorities shall be granted full access to the training, validation and testing datasets used by the provider, including through application programming interfaces (‘API’) or other appropriate technical means and tools enabling remote access.1. In the context of their activities, and upon their reasoned request the national supervisory authority shall be granted full access to the training, validation and testing datasets used by the provider, or, where relevant, the deployer, that are relevant and strictly necessary for the purpose of its request through appropriate technical means and tools.deletedIn the context of their activities, and upon their reasoned request, the market surveillance authorities and the national supervisory authority shall be granted full access to the training, validation and testing datasets used by the provider, or, where relevant, the deployer. This access should be granted through application programming interfaces (‘API’) or other appropriate technical means and tools enabling remote access, and should only include data that is relevant and strictly necessary for the purpose of its request.
Article 64 – paragraph 22. Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2 and upon a reasoned request, the market surveillance authorities shall be granted access to the source code of the AI system.2. Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2, after all other reasonable ways to verify conformity including paragraph 1 have been exhausted and have proven to be insufficient, and upon a reasoned request, the national supervisory authority shall be granted access to the training and trained models of the AI system, including its relevant model parameters. All information in line with Article 70 obtained shall be treated as confidential information and shall be subject to existing Union law on the protection of intellectual property and trade secrets and shall be deleted upon the completion of the investigation for which the information was requested. deleted2. Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2, after all other reasonable ways to verify conformity including paragraph 1 have been exhausted and have proven to be insufficient, and upon a reasoned request, the market surveillance authorities and the national supervisory authority shall be granted access to the source code, training and trained models of the AI system, including its relevant model parameters. All information obtained shall be treated as confidential information and shall be subject to existing Union law on the protection of intellectual property and trade secrets and shall be deleted upon the completion of the investigation for which the information was requested.
Article 64 – paragraph 2a (new)2a. Paragraphs 1 and 2 are without prejudice to the procedural rights of the concerned operator in accordance with Article 18 of Regulation (EU) 2019/1020.The procedural rights of the concerned operator shall be upheld in accordance with Article 18 of Regulation (EU) 2019/1020, as stated in Paragraphs 1 and 2, without prejudice.
Article 64 – paragraph 33. National public authorities or bodies which supervise or enforce the respect of obligations under Union law protecting fundamental rights in relation to the use of high-risk AI systems referred to in Annex III shall have the power to request and access any documentation created or maintained under this Regulation when access to that documentation is necessary for the fulfilment of the competences under their mandate within the limits of their jurisdiction. The relevant public authority or body shall inform the market surveillance authority of the Member State concerned of any such request.3. National public authorities or bodies which supervise or enforce the respect of obligations under Union law protecting fundamental rights in relation to the use of high-risk AI systems referred to in Annex III shall have the power to request and access any documentation created or maintained under this Regulation when access to that documentation is necessary for the fulfilment of the competences under their mandate within the limits of their jurisdiction. The relevant public authority or body shall inform the national supervisory authority of the Member State concerned of any such request.3. National public authorities or bodies which supervise or enforce the respect of obligations under Union law protecting fundamental rights, including the right to non-discrimination, in relation to the use of high-risk AI systems referred to in Annex III shall have the power to request and access any documentation created or maintained under this Regulation when access to that documentation is necessary for the fulfilment of the competences under their mandate within the limits of their jurisdiction. The relevant public authority or body shall inform the market surveillance authority of the Member State concerned of any such request.3. National public authorities or bodies which supervise or enforce the respect of obligations under Union law protecting fundamental rights, including the right to non-discrimination, in relation to the use of high-risk AI systems referred to in Annex III shall have the power to request and access any documentation created or maintained under this Regulation when access to that documentation is necessary for the fulfilment of the competences under their mandate within the limits of their jurisdiction. The relevant public authority or body shall inform the national supervisory authority or the market surveillance authority of the Member State concerned of any such request.
Article 64 – paragraph 44. By 3 months after the entering into force of this Regulation, each Member State shall identify the public authorities or bodies referred to in paragraph 3 and make a list publicly available on the website of the national supervisory authority. Member States shall notify the list to the Commission and all other Member States and keep the list up to date.4. By 3 months after the entering into force of this Regulation, each Member State shall identify the public authorities or bodies referred to in paragraph 3 and make a list publicly available on the website of the national supervisory authority. National supervisory authorities shall notify the list to the Commission, the AI Office, and all other national supervisory authorities and keep the list up to date. The Commission shall publish in a dedicated website the list of all the competent authorities designated by the Member States in accordance with this Article.4. By 3 months after the entering into force of this Regulation, each Member State shall identify the public authorities or bodies referred to in paragraph 3 and make the list publicly available. Member States shall notify the list to the Commission and all other Member States and keep the list up to date.4. By 3 months after the entering into force of this Regulation, each Member State shall identify the public authorities or bodies referred to in paragraph 3 and make a list publicly available on the website of the national supervisory authority. Member States shall notify the list to the Commission, the AI Office, and all other Member States or national supervisory authorities and keep the list up to date. The Commission shall publish in a dedicated website the list of all the competent authorities designated by the Member States in accordance with this Article.
Article 64 – paragraph 55. Where the documentation referred to in paragraph 3 is insufficient to ascertain whether a breach of obligations under Union law intended to protect fundamental rights has occurred, the public authority or body referred to paragraph 3 may make a reasoned request to the market surveillance authority to organise testing of the high-risk AI system through technical means. The market surveillance authority shall organise the testing with the close involvement of the requesting public authority or body within reasonable time following the request.5. Where the documentation referred to in paragraph 3 is insufficient to ascertain whether a breach of obligations under Union law intended to protect fundamental rights has occurred, the public authority or body referred to in paragraph 3 may make a reasoned request to the national supervisory authority, to organise testing of the high-risk AI system through technical means. The national supervisory authority shall organise the testing with the close involvement of the requesting public authority or body within reasonable time following the request.5. Where the documentation referred to in paragraph 3 is insufficient to ascertain whether a breach of obligations under Union law intended to protect fundamental rights has occurred, the public authority or body referred to paragraph 3 may make a reasoned request to the market surveillance authority to organise testing of the high-risk AI system through technical means. The market surveillance authority shall organise the testing with the close involvement of the requesting public authority or body within reasonable time following the request5. Where the documentation referred to in paragraph 3 is insufficient to ascertain whether a breach of obligations under Union law intended to protect fundamental rights has occurred, the public authority or body referred to in paragraph 3 may make a reasoned request to the market surveillance authority or the national supervisory authority, to organise testing of the high-risk AI system through technical means. The market surveillance authority or the national supervisory authority shall organise the testing with the close involvement of the requesting public authority or body within reasonable time following the request.
Article 64 – paragraph 66.Any information and documentation obtained by the national public authorities or bodies referred to in paragraph 3 pursuant to the provisions of this Article shall be treated in compliance with the confidentiality obligations set out in Article 706.Any information and documentation obtained by the national public authorities or bodies referred to in paragraph 3 pursuant to the provisions of this Article shall be treated in compliance with the confidentiality obligations set out in Article 706. Any information and documentation obtained by the national public authorities or bodies referred to in paragraph 3 pursuant to the provisions of this Article shall be treated in compliance with the confidentiality obligations set out in Article 70.6. Any information and documentation obtained by the national public authorities or bodies referred to in paragraph 3 pursuant to the provisions of this Article shall be treated in compliance with the confidentiality obligations set out in Article 70.
Article 65
NumberingCommissionParliamentCouncilText proposed by the AI
Article 65Article 65
Procedure for dealing with AI systems presenting a risk at national level		Article 65
Procedure for dealing with AI systems presenting a risk at national level		Article 65
Procedure for dealing with AI systems presenting a risk at national level		Article 65
Procedure for dealing with AI systems presenting a risk at national level
Article 65 – paragraph 11. AI systems presenting a risk shall be understood as a product presenting a risk defined in Article 3, point 19 of Regulation (EU) 2019/1020 insofar as risks to the health or safety or to the protection of fundamental rights of persons are concerned.1. AI systems presenting a risk shall be understood as an AI system having the potential to affect adversely health and safety, fundamental rights of persons in general, including in the workplace, protection of consumers, the environment, public security, or democracy or the rule of law and other public interests, that are protected by the applicable Union harmonisation law, to a degree which goes beyond that considered reasonable and acceptable in relation to its intended purpose or under the normal or reasonably foreseeable conditions of use of the system are concerned, including the duration of use and, where applicable, its putting into service, installation and maintenance requirements.1. AI systems presenting a risk shall be understood as a product presenting a risk defined in Article 3, point 19 of Regulation (EU) 2019/1020 insofar as risks to the health or safety or to fundamental rights of persons are concerned.1. AI systems presenting a risk shall be understood as a product or system having the potential to affect adversely health and safety, fundamental rights of persons in general, including in the workplace, protection of consumers, the environment, public security, or democracy or the rule of law and other public interests, that are protected by the applicable Union harmonisation law, to a degree which goes beyond that considered reasonable and acceptable in relation to its intended purpose or under the normal or reasonably foreseeable conditions of use of the system are concerned, including the duration of use and, where applicable, its putting into service, installation and maintenance requirements. This is in line with the risk defined in Article 3, point 19 of Regulation (EU) 2019/1020.
Article 65 – paragraph 2 – introductory part2. Where the market surveillance authority of a Member State has sufficient reasons to consider that an AI system presents a risk as referred to in paragraph 1, they shall carry out an evaluation of the AI system concerned in respect of its compliance with all the requirements and obligations laid down in this Regulation. When risks to the protection of fundamental rights are present, the market surveillance authority shall also inform the relevant national public authorities or bodies referred to in Article 64(3). The relevant operators shall cooperate as necessary with the market surveillance authorities and the other national public authorities or bodies referred to in Article 64(3).2. Where the national supervisory authority of a Member State has sufficient reasons to consider that an AI system presents a risk as referred to in paragraph 1, it shall carry out an evaluation of the AI system concerned in respect of its compliance with all the requirements and obligations laid down in this Regulation. When risks to fundamental rights are present, the national supervisory authority shall also immediately inform and fully cooperate with the relevant national public authorities or bodies referred to in Article 64(3); Where there is sufficient reason to consider that that an AI system exploits the vulnerabilities of vulnerable groups or violates their rights intentionally or unintentionally, the national supervisory authority shall have the duty to investigate the design goals, data inputs, model selection, implementation and outcomes of the AI system . The relevant operators shall cooperate as necessary with the national supervisory authority and the other national public authorities or bodies referred to in Article 64(3);2. Where the market surveillance authority of a Member State has sufficient reasons to consider that an AI system presents a risk as referred to in paragraph 1, they shall carry out an evaluation of the AI system concerned in respect of its compliance with all the requirements and obligations laid down in this Regulation. When risks to fundamental rights are identified, the market surveillance authority shall also inform the relevant national public authorities or bodies referred to in Article 64(3). The relevant operators shall cooperate as necessary with the market surveillance authorities and the other national public authorities or bodies referred to in Article 64(3).2. Where the national supervisory authority or the market surveillance authority of a Member State has sufficient reasons to consider that an AI system presents a risk as referred to in paragraph 1, it shall carry out an evaluation of the AI system concerned in respect of its compliance with all the requirements and obligations laid down in this Regulation. When risks to the protection of fundamental rights are present or identified, the national supervisory authority or the market surveillance authority shall also inform the relevant national public authorities or bodies referred to in Article 64(3). If there is sufficient reason to consider that the AI system exploits the vulnerabilities of vulnerable groups or violates their rights intentionally or unintentionally, the national supervisory authority shall have the duty to investigate the design goals, data inputs, model selection, implementation and outcomes of the AI system. The relevant operators shall cooperate as necessary with the national supervisory authority, the market surveillance authorities and the other national public authorities or bodies referred to in Article 64(3).
Article 65 – paragraph 2 – subparagraph 1Where, in the course of that evaluation, the market surveillance authority finds that the AI system does not comply with the requirements and obligations laid down in this Regulation, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the AI system into compliance, to withdraw the AI system from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.Where, in the course of that evaluation, the national supervisory authority or, where relevant, the national public authority referred to in Article 64(3) finds that the AI system does not comply with the requirements and obligations laid down in this Regulation, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the AI system into compliance, to withdraw the AI system from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe and in any event no later than fifteen working days or as provided for in the relevant Union harmonisation law as applicableWhere, in the course of that evaluation, the market surveillance authority finds that the AI system does not comply with the requirements and obligations laid down in this Regulation, it shall without undue delay require the relevant operator to take all appropriate corrective actions to bring the AI system into compliance, to withdraw the AI system from the market, or to recall it, within a period it may prescribe.Where, in the course of that evaluation, the market surveillance authority or, where relevant, the national public authority referred to in Article 64(3) finds that the AI system does not comply with the requirements and obligations laid down in this Regulation, it shall without undue delay require the relevant operator to take all appropriate corrective actions to bring the AI system into compliance, to withdraw the AI system from the market, or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe and in any event no later than fifteen working days or as provided for in the relevant Union harmonisation law as applicable.
Article 65 – paragraph 2 – subparagraph 2The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the measures referred to in the second subparagraph.The national supervisory authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the measures referred to in the second subparagraph.The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the measures referred to in the second subparagraph.The market surveillance authority, also referred to as the national supervisory authority, shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the measures referred to in the second subparagraph.
Article 65 – paragraph 33. Where the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the operator to take.3. Where the national supervisory authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission, the AI Office and the national supervisory authority of the other Member States without undue delay of the results of the evaluation and of the actions which it has required the operator to take.3. Where the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States without undue delay of the results of the evaluation and of the actions which it has required the operator to take.3. Where the national supervisory authority or the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission, the AI Office (if applicable), and the national supervisory authority of the other Member States without undue delay of the results of the evaluation and of the actions which it has required the operator to take.
Article 65 – paragraph 44.The operator shall ensure that all appropriate corrective action is taken in respect of all the AI systems concerned that it has made available on the market throughout the Union.4.The operator shall ensure that all appropriate corrective action is taken in respect of all the AI systems concerned that it has made available on the market throughout the Union.4. The operator shall ensure that all appropriate corrective action is taken in respect of all the AI systems concerned that it has made available on the market throughout the Union.4. The operator shall ensure that all appropriate corrective action is taken in respect of all the AI systems concerned that it has made available on the market throughout the Union.
Article 65 – paragraph 55.  Where the operator of an AI system does not take adequate corrective action within the period referred to in paragraph 2, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict the AI system’s being made available on its national market, to withdraw the product from that market or to recall it. That authority shall inform the Commission and the other Member States, without delay, of those measures.5.  Where the operator of an AI system does not take adequate corrective action within the period referred to in paragraph 2, the national supervisory authority shall take all appropriate provisional measures to prohibit or restrict the AI system’s being made available on its national market or put into service, to withdraw the AI system from that market or to recall it. That authority shall immediately inform the Commission, the AI Office and the national supervisory authority of the other Member States of those measures.5. Where the operator of an AI system does not take adequate corrective action within the period referred to in paragraph 2, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict the AI system’s being made available on its national market, to withdraw the product from that market or to recall it. That authority shall notify the Commission and the other Member States, without undue delay, of those measures.5. Where the operator of an AI system does not take adequate corrective action within the period referred to in paragraph 2, the national supervisory/market surveillance authority shall take all appropriate provisional measures to prohibit or restrict the AI system’s being made available on its national market or put into service, to withdraw the product/AI system from that market or to recall it. That authority shall inform/notify the Commission, the AI Office (if applicable), and the other Member States, without delay or undue delay, of those measures.
Article 65 – paragraph 6 – introductory part6.  The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant AI system, the origin of the AI system, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant operator. In particular, the market surveillance authorities shall indicate whether the non-compliance is due to one or more of the following:6.  The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant AI system, the origin of the AI system and the supply chain, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant operator. In particular, the national supervisory authority shall indicate whether the non-compliance is due to one or more of the following:6. The notification referred to in paragraph 5 shall include all available details, in particular the information necessary for the identification of the non-compliant AI system, the origin of the AI system, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant operator. In particular, the market surveillance authorities shall indicate whether the non-compliance is due to one or more of the following:6. The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant AI system, the origin of the AI system and the supply chain, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant operator. In particular, the market surveillance authorities and the national supervisory authority shall indicate whether the non-compliance is due to one or more of the following:
Article 65 – paragraph 6 – point -a (new)(-a) non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5;In the event of non-compliance with the prohibition of the artificial intelligence practices as outlined in Article 5, appropriate measures should be taken.
Article 65 – paragraph 6 – point a(a)  a failure of the AI system to meet requirements set out in Title III, Chapter 2;(a)  a failure of the high-risk AI system to meet requirements set out this Regulation;(a) a failure of a high-risk AI system to meet requirements set out in Title III, Chapter 2;(a) a failure of the high-risk AI system to meet requirements set out in Title III, Chapter 2 of this Regulation;
Article 65 – paragraph 6 – point b(b) shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 conferring a presumption of conformity.(b) shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 conferring a presumption of conformity.(b) shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 conferring a presumption of conformity.(b) shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 conferring a presumption of conformity.
Article 65 – paragraph 6 – point ba (new)(ba) non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5;Non-compliance with the prohibition of the artificial intelligence practices as outlined in Article 5.
Article 65 – paragraph 6 – point bb [P] / point c [C] (new)(bb) non-compliance with provisions set out in Article 52.(c) non-compliance with provisions set out in Article 52;Non-compliance with provisions set out in Article 52.
Article 65 – paragraph 6 – point d (new)(d) non-compliance of general purpose AI systems with the requirements and obligations referred to in Article 4a;None
Article 65 – paragraph 77.  The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the AI system concerned, and, in the event of disagreement with the notified national measure, of their objections.7.  The national supervisory authorities of the Member States other than the national supervisory authority of the Member State initiating the procedure shall without delay inform the Commission, the AI Office and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the AI system concerned, and, in the event of disagreement with the notified national measure, of their objections.7. The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall without undue delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the AI system concerned, and, in the event of disagreement with the notified national measure, of their objections.7. The national supervisory and market surveillance authorities of the Member States other than the national supervisory or market surveillance authority of the Member State initiating the procedure shall without delay or undue delay inform the Commission, the AI Office and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the AI system concerned, and, in the event of disagreement with the notified national measure, of their objections.
Article 65 – paragraph 88. Where, within three months of receipt of the information referred to in paragraph 5, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. This is without prejudice to the procedural rights of the concerned operator in accordance with Article 18 of Regulation (EU) 2019/1020.8.  Where, within three months of receipt of the information referred to in paragraph 5, no objection has been raised by either a national supervisory authority of a Member State or the Commission in respect of a provisional measure taken by a national supervisory authority of another Member State, that measure shall be deemed justified. This is without prejudice to the procedural rights of the concerned operator in accordance with Article 18 of Regulation (EU) 2019/1020. The period referred to in the first sentence of this paragraph shall be reduced to thirty days in the event of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5.8. Where, within three months of receipt of the notification referred to in paragraph 5, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. This is without prejudice to the procedural rights of the concerned operator in accordance with Article 18 of Regulation (EU) 2019/1020. The period referred to in the first sentence of this paragraph shall be reduced to 30 days in the case of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5.8. Where, within three months of receipt of the information or notification referred to in paragraph 5, no objection has been raised by either a Member State, a national supervisory authority of a Member State, or the Commission in respect of a provisional measure taken by a Member State or a national supervisory authority of another Member State, that measure shall be deemed justified. This is without prejudice to the procedural rights of the concerned operator in accordance with Article 18 of Regulation (EU) 2019/1020. The period referred to in the first sentence of this paragraph shall be reduced to thirty days in the event of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5.
Article 65 – paragraph 99.  The market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product concerned, such as withdrawal of the product from their market, without delay.9.  The national supervisory authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the AI system concerned, such as withdrawal of the AI system from their market, without delay.9. The market surveillance authorities of all Member States shall then ensure that appropriate restrictive measures are taken in respect of the AI system concerned, such as withdrawal of the product from their market, without undue delay.9. The national supervisory and market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product or AI system concerned, such as withdrawal from their market, without any delay.
Article 65 – paragraph 9a (new)9a. National supervisory authorities shall annually report to the AI Office about the use of prohibited practices that occurred during that year and about the measures taken to eliminate or mitigate the risks in accordance with this Article.National supervisory authorities are required to submit an annual report to the AI Office, detailing the use of prohibited practices that took place during that year. The report should also include the measures that were implemented to eliminate or mitigate the associated risks, in accordance with this Article.
Article 66
NumberingCommissionParliamentCouncilText proposed by the AI
Article 66Article 66
Union safeguard procedure		Article 66
Union safeguard procedure		Article 66
Union safeguard procedure		Article 66
Union safeguard procedure
Article 66 – paragraph 11. Where, within three months of receipt of the notification referred to in Article 65(5), objections are raised by a Member State against a measure taken by another Member State, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into consultation with the relevant Member State and operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within 9 months from the notification referred to in Article 65(5) and notify such decision to the Member State concerned.1. Where, within three months of receipt of the notification referred to in Article 65(5), or 30 days in the case of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5, objections are raised by the national supervisory authority of a Member State against a measure taken by another national supervisory authority, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into consultation with the national supervisory authority of the relevant Member State and operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within three months, or 60 days in the case of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5, starting from the notification referred to in Article 65(5) and notify such decision to the national supervisory authority of the Member State concerned. The Commission shall also inform all other national supervisory authorities of such decision.1. Where, within three months of receipt of the notification referred to in Article 65(5), or 30 days in the case of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5, objections are raised by a Member State against a measure taken by another Member State, or where the Commission considers the measure to be contrary to Union law, the Commission shall without undue delay enter into consultation with the relevant Member State’s market surveillance authority and operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within 9 months, or 60 days in the case of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5, starting from the notification referred to in Article 65(5). It shall and notify such decision to the Member State concerned. The Commission shall also inform all other Member States of such decision.1. Where, within three months of receipt of the notification referred to in Article 65(5), or 30 days in the case of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5, objections are raised by a Member State or the national supervisory authority of a Member State against a measure taken by another Member State or national supervisory authority, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into consultation with the relevant Member State, its national supervisory authority or market surveillance authority, and operator or operators and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall decide whether the national measure is justified or not within 9 months, or 60 days in the case of non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5, starting from the notification referred to in Article 65(5) and notify such decision to the Member State or national supervisory authority concerned. The Commission shall also inform all other Member States and national supervisory authorities of such decision.
Article 66 – paragraph 22. If the national measure is considered justified, all Member States shall take the measures necessary to ensure that the non-compliant AI system is withdrawn from their market, and shall inform the Commission accordingly. If the national measure is considered unjustified, the Member State concerned shall withdraw the measure.2. If the national measure is considered justified, all national supervisory authorities designated under this Regulation shall take the measures necessary to ensure that the non-compliant AI system is withdrawn from their market without delay, and shall inform the Commission and the AI Office accordingly. If the national measure is considered unjustified, the national supervisory authority of the Member State concerned shall withdraw the measure2. If the measure taken by the relevant Member State’s market surveillance authority is considered justified by the Commission, the market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the AI system concerned, such as withdrawal of the AI system from their market without undue delay, and shall inform the Commission accordingly. If the national measure is considered unjustified by the Commission, the market surveillance authority of the Member State concerned shall withdraw the measure and inform the Commission accordingly.2. If the national measure, taken by the relevant Member State’s market surveillance authority or national supervisory authority designated under this Regulation, is considered justified by the Commission, all Member States or their respective authorities shall take the necessary measures to ensure that the non-compliant AI system is withdrawn from their market without undue delay. They shall inform the Commission and, where applicable, the AI Office accordingly. If the national measure is considered unjustified by the Commission, the market surveillance authority or the national supervisory authority of the Member State concerned shall withdraw the measure and inform the Commission accordingly.
Article 66 – paragraph 33. Where the national measure is considered justified and the non-compliance of the AI system is attributed to shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 of this Regulation, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.3. Where the national measure is considered justified and the non-compliance of the AI system is attributed to shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 of this Regulation, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.3. Where the national measure is considered justified and the non-compliance of the AI system is attributed to shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 of this Regulation, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.3. Where the national measure is considered justified and the non-compliance of the AI system is attributed to shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 of this Regulation, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012.
Article 66a (new)Article 66a)
Joint investigations

Where a national supervisory authority has reasons to suspect that the infringement by a provider or a deployer of a high-risk AI system or foundation model to this Regulation amount to a widespread infringement with a Union dimension, or affects or is likely affect at least 45 million individuals, in more than one Member State, that national supervisory authority shall inform the AI Office and may request the national supervisory authorities of the Member States where such infringement took place to start a joint investigation. The AI Office shall provide central coordination to the joint investigation. Investigation powers shall remain within the competence of the national supervisory authorities.
Article 66a)
Joint investigations

In the event that a national supervisory authority has grounds to suspect that a provider or a deployer of a high-risk AI system or foundation model has committed an infringement to this Regulation that constitutes a widespread infringement with a Union dimension, or impacts or is likely to impact at least 45 million individuals across more than one Member State, the national supervisory authority is obliged to notify the AI Office. The national supervisory authority may also request the national supervisory authorities of the Member States where the infringement occurred to initiate a joint investigation. The AI Office is responsible for providing central coordination for the joint investigation. However, the powers to conduct the investigation shall remain within the jurisdiction of the national supervisory authorities.
Article 67
NumberingCommissionParliamentCouncilText proposed by the AI
Article 67Article 67
Compliant AI systems which present a risk		Article 67
Compliant AI systems which present a risk		Article 67
Compliant high-risk or general purpose AI systems which present a risk		Article 67
Compliant AI systems, including high-risk or general purpose systems, which present a risk
Article 67 – paragraph 11. Where, having performed an evaluation under Article 65, the market surveillance authority of a Member State finds that although an AI system is in compliance with this Regulation, it presents a risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights or to other aspects of public interest protection, it shall require the relevant operator to take all appropriate measures to ensure that the AI system concerned, when placed on the market or put into service, no longer presents that risk, to withdraw the AI system from the market or to recall it within a reasonable period, commensurate with the nature of the risk, as it may prescribe.1. Where, having performed an evaluation under Article 65, in full cooperation with the relevant national public authority referred to in Article 64(3), the national supervisory authority of a Member State finds that although an AI system is in compliance with this Regulation, it presents a serious risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights, or the environment or the democracy and rule of law or to other aspects of public interest protection , it shall require the relevant operator to take all appropriate measures to ensure that the AI system concerned, when placed on the market or put into service, no longer presents that risk.1. Where, having performed an evaluation under Article 65, the market surveillance authority of a Member State finds that although a high-risk or general purpose AI system is in compliance with this Regulation, it presents a risk to the health or safety of persons or to fundamental rights, it shall require the relevant operator to take all appropriate measures to ensure that the AI system concerned, when placed on the market or put into service, no longer presents that risk, to withdraw the AI system from the market or to recall it without undue delay, within a period it may prescribe.1. Where, having performed an evaluation under Article 65, in full cooperation with the relevant national public authority referred to in Article 64(3), the market surveillance authority or national supervisory authority of a Member State finds that although a high-risk, general purpose or any AI system is in compliance with this Regulation, it presents a serious risk to the health or safety of persons, to the compliance with obligations under Union or national law intended to protect fundamental rights, the environment, the democracy and rule of law or to other aspects of public interest protection, it shall require the relevant operator to take all appropriate measures to ensure that the AI system concerned, when placed on the market or put into service, no longer presents that risk, to withdraw the AI system from the market or to recall it within a reasonable period, commensurate with the nature of the risk, or without undue delay, as it may prescribe.
Article 67 – paragraph 22. The provider or other relevant operators shall ensure that corrective action is taken in respect of all the AI systems concerned that they have made available on the market throughout the Union within the timeline prescribed by the market surveillance authority of the Member State referred to in paragraph 1.2. The provider or other relevant operators shall ensure that corrective action is taken in respect of all the AI systems concerned that they have made available on the market throughout the Union within the timeline prescribed by the national supervisory authority authority of the Member State referred to in paragraph 1.2. The provider or other relevant operators shall ensure that corrective action is taken in respect of all the AI systems concerned that they have made available on the market throughout the Union within the timeline prescribed by the market surveillance authority of the Member State referred to in paragraph 1.2. The provider or other relevant operators shall ensure that corrective action is taken in respect of all the AI systems concerned that they have made available on the market throughout the Union within the timeline prescribed by the market surveillance authority or the national supervisory authority of the Member State referred to in paragraph 1.
Article 67 – paragraph 2a (new)2a. Where the provider or other relevant operators fail to take corrective action as referred to in paragraph 2 and the AI system continues to present a risk as referred to in paragraph 1, the national supervisory authority may require the relevant operator to withdraw the AI system from the market or to recall it within a reasonable period, commensurate with the nature of the risk. In the event that the provider or other relevant operators do not take the corrective action as outlined in paragraph 2, and the AI system continues to pose a risk as described in paragraph 1, the national supervisory authority has the right to mandate the relevant operator to either withdraw the AI system from the market or recall it within a reasonable timeframe, which should be proportionate to the nature of the risk.
Article 67 – paragraph 33. The Member State shall immediately inform the Commission and the other Member States. That information shall include all available details, in particular the data necessary for the identification of the AI system concerned, the origin and the supply chain of the AI system, the nature of the risk involved and the nature and duration of the national measures taken.3. The national supervisory authority shall immediately inform the Commission, the AI Office and the other national supervisory authorities. That information shall include all available details, in particular the data necessary for the identification of the AI system concerned, the origin and the supply chain of the AI system, the nature of the risk involved and the nature and duration of the national measures taken.3. The Member State shall immediately inform the Commission and the other Member States. That information shall include all available details, in particular the data necessary for the identification of the AI system concerned, the origin and the supply chain of the AI system, the nature of the risk involved and the nature and duration of the national measures taken.3. The Member State or the national supervisory authority shall immediately inform the Commission, the AI Office if applicable, and the other Member States or national supervisory authorities. That information shall include all available details, in particular the data necessary for the identification of the AI system concerned, the origin and the supply chain of the AI system, the nature of the risk involved and the nature and duration of the national measures taken.
Article 67 – paragraph 44. The Commission shall without delay enter into consultation with the Member States and the relevant operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission shall decide whether the measure is justified or not and, where necessary, propose appropriate measures.4. The Commission, in consultation with the AI Office shall without delay enter into consultation with the national supervisory authorities concerned and the relevant operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the AI Office shall decide whether the measure is justified or not and, where necessary, propose appropriate measures.4. The Commission shall without undue delay enter into consultation with the Member States concerned and the relevant operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission shall decide whether the measure is justified or not and, where necessary, propose appropriate measures.4. The Commission, in consultation with the AI Office, shall without undue delay enter into consultation with the Member States, the national supervisory authorities concerned, and the relevant operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission and the AI Office shall decide whether the measure is justified or not and, where necessary, propose appropriate measures.
Article 67 – paragraph 55. The Commission shall address its decision to the Member States.5. The Commission, in consultation with the AI Office shall immediately communicate its decision to the national supervisory authorities of the Member States concerned and to the relevant operators. It shall also inform the decision to all other national supervisory authorities. 5. The Commission shall address its decision to the Member States concerned, and inform all other Member States.5. The Commission, in consultation with the AI Office, shall address its decision to the Member States concerned, immediately communicate the decision to the national supervisory authorities of these Member States and to the relevant operators. It shall also inform the decision to all other national supervisory authorities and Member States.
Article 67 – paragraph 5a (new)5a. The Commission shall adopt guidelines to help national competent authorities to identify and rectify, where necessary, similar problems arising in other AI systems.The Commission shall adopt guidelines to assist national competent authorities in identifying and rectifying, where necessary, similar issues that may arise in other AI systems.
Article 68
NumberingCommissionParliamentCouncilText proposed by the AI
Article 68Article 68
Formal non-compliance		Article 68
Formal non-compliance		Article 68
Formal non-compliance		None
Article 68 – paragraph 1 – introductory part1. Where the market surveillance authority of a Member State makes one of the following findings, it shall require the relevant provider to put an end to the non-compliance concerned:1. Where the national supervisory authority of a Member State makes one of the following findings, it shall require the relevant provider to put an end to the non-compliance concerned:1. Where the market surveillance authority of a Member State makes one of the following findings, it shall require the relevant provider to put an end to the non-compliance concerned, within a period it may prescribe:1. Where the market surveillance or national supervisory authority of a Member State makes one of the following findings, it shall require the relevant provider to put an end to the non-compliance concerned, within a period it may prescribe:
Article 68 – paragraph 1 – point a(a) the conformity marking has been affixed in violation of Article 49;(a) the CE marking has been affixed in violation of Article 49;(a) the conformity marking has been affixed in violation of Article 49;(a) the conformity/CE marking has been affixed in violation of Article 49;
Article 68 – paragraph 1 – point b(b) the conformity marking has not been affixed;(b) the CE marking has not been affthe conformity marking has not been affixedixed;(b) the conformity marking has not been affixed;(b) the conformity marking, also known as the CE marking, has not been affixed;
Article 68 – paragraph 1 – point c(c) the EU declaration of conformity has not been drawn up;(c) the EU declaration of conformity has not been drawn up;(c) the EU declaration of conformity has not been drawn up;
Article 68 – paragraph 1 – point d(d) the EU declaration of conformity has not been drawn up correctly;(d) the EU declaration of conformity has not been drawn up correctly;(d) the EU declaration of conformity has not been drawn up correctly;
Article 68 – paragraph 1 – point e(e) the identification number of the notified body, which is involved in the conformity assessment procedure, where applicable, has not been affixed;(e) the identification number of the notified body, which is involved in the conformity assessment procedure, where applicable, has not been affixed;(e) the identification number of the notified body, which is involved in the conformity assessment procedure, where applicable, has not been affixed;
Article 68 – paragraph 1 – point ea (new)(ea) the technical documentation is not available;The technical documentation is not available.
Article 68 – paragraph 1 – point eb (new)(eb) the registration in the EU database has not been carried out;The registration in the EU database has not been completed.
Article 68 – paragraph 1 – point ec (new)(ec) where applicable, the authorised representative has not been appointed.The authorised representative has not been appointed, where applicable.
Article 68 – paragraph 22. Where the non-compliance referred to in paragraph 1 persists, the Member State concerned shall take all appropriate measures to restrict or prohibit the high-risk AI system being made available on the market or ensure that it is recalled or withdrawn from the market.2. Where the non-compliance referred to in paragraph 1 persists, the national supervisory authority of the Member State concerned shall take appropriate and proportionate measures to restrict or prohibit the high-risk AI system being made available on the market or ensure that it is recalled or withdrawn from the market without delay. The national supervisory authority of the Member State concerned shall immediately inform the AI Office of the non-compliance and the measures taken.2. Where the non-compliance referred to in paragraph 1 persists, the Member State concerned shall take all appropriate measures to restrict or prohibit the high-risk AI system being made available on the market or ensure that it is recalled or withdrawn from the market.2. Where the non-compliance referred to in paragraph 1 persists, the Member State concerned, through its national supervisory authority, shall take all appropriate and proportionate measures to restrict or prohibit the high-risk AI system being made available on the market or ensure that it is recalled or withdrawn from the market without delay. The national supervisory authority of the Member State concerned shall immediately inform the AI Office of the non-compliance and the measures taken.
Article 68a (new) [C]Article 68a
Union testing facilities in the area of artificial intelligence

1. The Commission shall designate one or more Union testing facilities pursuant to Article 21 of Regulation (EU) 1020/2019 in the area of artificial intelligence.

2. Without prejudice to the activities of Union testing facilities referred to in Article 21(6) of Regulation (EU) 1020/2019, Union testing facilities referred to in paragraph 1 shall also provide independent technical or scientific advice at the request of the Board or market surveillance authorities.		Article 68a
Union testing facilities in the area of artificial intelligence

1. The Commission shall designate one or more Union testing facilities in the area of artificial intelligence, pursuant to Article 21 of Regulation (EU) 1020/2019.

2. In addition to the activities of Union testing facilities referred to in Article 21(6) of Regulation (EU) 1020/2019, the Union testing facilities mentioned in paragraph 1 shall also provide independent technical or scientific advice when requested by the Board or market surveillance authorities.
Article 68b (new) [C]Article 68b
Central pool of independent experts

1. Upon request of the AI Board, the Commission shall, by means of an implementing act, make provisions on the creation, maintenance and financing of a central pool of independent experts to support the enforcement activities under this Regulation.

2. Experts shall be selected by the Commission and included in the central pool on the basis of up-to-date scientific or technical expertise in the field of artificial intelligence, having due regard to the technical areas covered by the requirements and obligations in this Regulation and the activities of market surveillance authorities pursuant to Article 11 of Regulation (EU) 1020/2019. The Commission shall determine the number of experts in the pool in accordance with the required needs.

3. Experts may have the following tasks:
(a) provide advice to and support the work of market surveillance authorities, at their request;
(b) support cross-border market surveillance investigations as referred to in Article 58(h), without prejudice of the powers of market surveillance authorities;
(c) advise and support the Commission when carrying out its duties in the context of the safeguard clause pursuant to Article 66.

4. The experts shall perform their tasks with impartiality, objectivity and ensure the confidentiality of information and data obtained in carrying out their tasks and activities. Each expert shall draw up a declaration of interests, which shall be made publicly available. The Commission shall establish systems and procedures to actively manage and prevent potential conflicts of interest.

5. The Member States may be required to pay fees for the advice and support by the experts. The structure and the level of fees as well as the scale and structure of recoverable costs shall be adopted by the Commission by means of the implementing act referred to in paragraph 1, taking into account the objectives of the adequate implementation of this Regulation, cost-effectiveness and the necessity to ensure an effective access to experts by all Member States.

6. The Commission shall facilitate timely access to the experts by the Member States, as needed, and ensure that the combination of support activities carried out by Union testing facilities pursuant to Article 68a and experts pursuant to this Article is efficiently organised and provides the best possible added value.		Article 68b
Central pool of independent experts

1. The Commission shall, upon the request of the AI Board, establish provisions through an implementing act for the creation, maintenance, and financing of a central pool of independent experts. These experts will support the enforcement activities under this Regulation.

2. The Commission will select experts for the central pool based on their current scientific or technical expertise in the field of artificial intelligence. The selection will consider the technical areas covered by the requirements and obligations in this Regulation and the activities of market surveillance authorities as per Article 11 of Regulation (EU) 1020/2019. The Commission will determine the number of experts in the pool according to the required needs.

3. The tasks of the experts may include:
(a) providing advice to and supporting the work of market surveillance authorities, upon their request;
(b) supporting cross-border market surveillance investigations as referred to in Article 58(h), without infringing on the powers of market surveillance authorities;
(c) advising and supporting the Commission in performing its duties in the context of the safeguard clause pursuant to Article 66.

4. The experts must perform their tasks with impartiality and objectivity, ensuring the confidentiality of information and data obtained in carrying out their tasks and activities. Each expert will provide a declaration of interests, which will be made publicly available. The Commission will establish systems and procedures to actively manage and prevent potential conflicts of interest.

5. The Member States may be required to pay fees for the advice and support provided by the experts. The Commission will adopt the structure and level of fees, as well as the scale and structure of recoverable costs, through the implementing act referred to in paragraph 1. This will take into account the objectives of the adequate implementation of this Regulation, cost-effectiveness, and the necessity to ensure effective access to experts by all Member States.

6. The Commission will facilitate timely access to the experts by the Member States as needed. It will also ensure that the combination of support activities carried out by Union testing facilities pursuant to Article 68a and experts pursuant to this Article is efficiently organized and provides the best possible added value.
CHAPTER 3a (new)CHAPTER 3a
Remedies		None
Article 68a (new) [P]Article 68 a
Right to lodge a complaint with a national supervisory authority

1. Without prejudice to any other administrative or judicial remedy, every natural persons or groups of natural persons shall have the right to lodge a complaint with a national supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if they consider that the AI system relating to him or her infringes this Regulation.

2. The national supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.		Article 68 a
Right to lodge a complaint with a national supervisory authority

1. Without prejudice to any other administrative or judicial remedy, every natural person or groups of natural persons shall have the right to lodge a complaint with a national supervisory authority, particularly in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the AI system relating to them infringes this Regulation.

2. The national supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78.
Article 68b (new) [P]Article 68 b
Right to an effective judicial remedy against a national supervisory authority

1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a national supervisory authority concerning them.

2. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to a an effective judicial remedy where the national supervisory authority which is competent pursuant to Articles 59 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 68a.

3. Proceedings against a national supervisory authority shall be brought before the courts of the Member State where the national supervisory authority is established.

4. Where proceedings are brought against a decision of a national supervisory authority which was preceded by an opinion or a decision of the Commission in the union safeguard procedure, the supervisory authority shall forward that opinion or decision to the court.		Article 68 b
Right to an effective judicial remedy against a national supervisory authority

1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a national supervisory authority concerning them.

2. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to a an effective judicial remedy where the national supervisory authority which is competent pursuant to Articles 59 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 68a.

3. Proceedings against a national supervisory authority shall be brought before the courts of the Member State where the national supervisory authority is established.

4. Where proceedings are brought against a decision of a national supervisory authority which was preceded by an opinion or a decision of the Commission in the union safeguard procedure, the supervisory authority shall forward that opinion or decision to the court.
Article 68c (new)Article 68 c
A right to explanation of individual decision-making

1. Any affected person subject to a decision which is taken by the deployer on the basis of the output from an high-risk AI system which produces legal effects or similarly significantly affects him or her in a way that they consider to adversely impact their health, safety, fundamental rights, socio-economic well-being or any other of the rights deriving from the obligations laid down in this Regulation, shall have the right to request from the deployer clear and meaningful explanation pursuant to Article 13(1) on the role of the AI system in the decision-making procedure, the main parameters of the decision taken and the related input data.

2. Paragraph 1 shall not apply to the use of AI systems for which exceptions from, or restrictions to, the obligation under paragraph 1 follow from Union or national law are provided in so far as such exception or restrictions respect the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society.

3. This Article shall apply without prejudice to Articles 13, 14, 15, and 22 of the Regulation 2016/679. 		Article 68 c
Right to Explanation of Individual Decision-Making

1. Any individual affected by a decision, which is made based on the output from a high-risk AI system and produces legal effects or significantly impacts them in a way that they perceive as detrimental to their health, safety, fundamental rights, socio-economic well-being or any other rights deriving from the obligations laid down in this Regulation, shall have the right to request a clear and meaningful explanation from the deployer. This explanation should detail the role of the AI system in the decision-making process, the main parameters of the decision taken, and the related input data, in accordance with Article 13(1).

2. The obligation under paragraph 1 shall not apply to the use of AI systems for which exceptions or restrictions are provided by Union or national law, as long as such exceptions or restrictions respect the essence of fundamental rights and freedoms and are deemed a necessary and proportionate measure in a democratic society.

3. This Article is applicable without prejudice to Articles 13, 14, 15, and 22 of the Regulation 2016/679.
Article 68d (new)Article 68d
Amendment to Directive (EU) 2020/1828

In Annex I to Directive (EU) 2020/1828 of the European Parliament and of the Council, the following point is added:
“(67a) Regulation xxxx/xxxx of the European Parliament and of the Council [laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts (OJ L …)]”.
In Annex I to Directive (EU) 2020/1828 of the European Parliament and of the Council, the following point is added:
“(67a) Regulation xxxx/xxxx of the European Parliament and of the Council [laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts (OJ L …)]”.
Article 68e (new)Article 68e
Reporting of breaches and protection of reporting persons

Directive (EU) 2019/1937 of the European Parliament and of the Council shall apply to the reporting of breaches of this Regulation and the protection of persons reporting such breaches.

Article 68e
Reporting of breaches and protection of reporting persons

Directive (EU) 2019/1937 of the European Parliament and of the Council shall be applicable for the reporting of breaches of this Regulation and for the protection of persons reporting such breaches.

TITLE IX: Codes of Conduct

Article 69
NumberingCommissionParliamentCouncilText proposed by the AI
Artcile 69 Article 69
Codes of conduct		Article 69
Codes of conduct		Article 69
Codes of conduct for voluntary application of specific requirements		Article 69
Codes of conduct for voluntary application of specific requirements
Article 69 – paragraph 1The Commission and the Member States shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to AI systems other than high-risk AI systems of the requirements set out in Title III, Chapter 2 on the basis of technical specifications and solutions that are appropriate means of ensuring compliance with such requirements in light of the intended purpose of the systems.1.  The Commission, the AI Office and the Member States shall encourage and facilitate the drawing up of codes of conduct intended, including where they are drawn up in order to demonstrate how AI systems respect the principles set out in Article 4a and can thereby be considered trustworthy, to foster the voluntary application to AI systems other than high-risk AI systems of the requirements set out in Title III, Chapter 2 on the basis of technical specifications and solutions that are appropriate means of ensuring compliance with such requirements in light of the intended purpose of the systems.1. The Commission, and the Member States shall facilitate the drawing up of codes of conduct intended to encourage the voluntary application to AI systems other than high-risk AI systems of one or more of the requirements set out in Title III, Chapter 2 of this Regulation to the best extent possible, taking into account the available, technical solutions allowing for the application of such requirements.The Commission, the AI Office, and the Member States shall encourage and facilitate the drawing up of codes of conduct. These codes are intended to foster the voluntary application to AI systems other than high-risk AI systems of the requirements set out in Title III, Chapter 2. This should be based on technical specifications and solutions that are appropriate means of ensuring compliance with such requirements in light of the intended purpose of the systems. These codes of conduct can also be drawn up to demonstrate how AI systems respect the principles set out in Article 4a and can thereby be considered trustworthy. The aim is to encourage the application of one or more of these requirements to the best extent possible, taking into account the available technical solutions.
Article 69 – paragraph 22. The Commission and the Board shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to AI systems of requirements related for example to environmental sustainability, accessibility for persons with a disability, stakeholders participation in the design and development of the AI systems and diversity of development teams on the basis of clear objectives and key performance indicators to measure the achievement of those objectives.2. Codes of conduct intended to foster the voluntary compliance with the principles underpinning trustworthy AI systems, shall, in particular:
(a) aim for a sufficient level of AI literacy among their staff and other persons dealing with the operation and use of AI systems in order to observe such principles;
(b) assess to what extent their AI systems may affect vulnerable persons or groups of persons, including children, the elderly, migrants and persons with disabilities or whether measures could be put in place in order to increase accessibility, or otherwise support such persons or groups of persons;
(c) consider the way in which the use of their AI systems may have an impact or can increase diversity, gender balance and equality;
(d) have regard to whether their AI systems can be used in a way that, directly or indirectly, may residually or significantly reinforce existing biases or inequalities;
(e) reflect on the need and relevance of having in place diverse development teams in view of securing an inclusive design of their systems;
(f) give careful consideration to whether their systems can have a negative societal impact, notably concerning political institutions and democratic processes;
(g) evaluate how AI systems can contribute to environmental sustainability and in particular to the Union’s commitments under the European Green Deal and the European Declaration on Digital Rights and Principles.
2. The Commission and the Member States shall facilitate the drawing up of codes of conduct intended to encourage the voluntary application to all AI systems of specific requirements related, for example, to environmental sustainability, including as regards energy-efficient programming, accessibility for persons with a disability, stakeholders participation in the design and development of the AI systems and diversity of development teams on the basis of clear objectives and key performance indicators to measure the achievement of those objectives. The Commission and the Member States shall also facilitate, where appropriate, the drawing of codes of conduct applicable on a voluntary basis with regard to users’ obligations in relation to AI systems.2. The Commission, the Board, and the Member States shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to all AI systems of requirements related to, for example, environmental sustainability, including energy-efficient programming, accessibility for persons with a disability, stakeholders participation in the design and development of the AI systems, and diversity of development teams. These codes of conduct should aim for a sufficient level of AI literacy among staff and other persons dealing with the operation and use of AI systems, assess the potential impact on vulnerable persons or groups, consider the impact on diversity, gender balance, and equality, and reflect on the potential for reinforcing existing biases or inequalities. They should also consider the societal impact, notably concerning political institutions and democratic processes, and evaluate how AI systems can contribute to environmental sustainability and the Union’s commitments under the European Green Deal and the European Declaration on Digital Rights and Principles. The codes of conduct should be based on clear objectives and key performance indicators to measure the achievement of those objectives. The Commission, the Board, and the Member States shall also facilitate, where appropriate, the drawing up of codes of conduct applicable on a voluntary basis with regard to users’ obligations in relation to AI systems.
Article 69 – paragraph 33. Codes of conduct may be drawn up by individual providers of AI systems or by organisations representing them or by both, including with the involvement of users and any interested stakeholders and their representative organisations. Codes of conduct may cover one or more AI systems taking into account the similarity of the intended purpose of the relevant systems.3. Codes of conduct may be drawn up by individual providers of AI systems or by organisations representing them or by both, including with the involvement of users and any interested stakeholders, including scientific researchers, and their representative organisations, in particular trade unions, and consumer organisations. Codes of conduct may cover one or more AI systems taking into account the similarity of the intended purpose of the relevant systems. Providers adopting codes of conduct will designate at least one natural person responsible for internal monitoring.3. Codes of conduct applicable on a voluntary basis may be drawn up by individual providers of AI systems or by organisations representing them or by both, including with the involvement of users and any interested stakeholders and their representative organisations, or, where appropriate, by users with regard to their obligations. Codes of conduct may cover one or more AI systems taking into account the similarity of the intended purpose of the relevant systems.3. Codes of conduct, applicable on a voluntary basis, may be drawn up by individual providers of AI systems or by organisations representing them or by both, including with the involvement of users, scientific researchers, and any interested stakeholders and their representative organisations, in particular trade unions, and consumer organisations, or, where appropriate, by users with regard to their obligations. Codes of conduct may cover one or more AI systems taking into account the similarity of the intended purpose of the relevant systems. Providers adopting codes of conduct will designate at least one natural person responsible for internal monitoring.
Article 69 – paragraph 44. The Commission and the Board shall take into account the specific interests and needs of the small-scale providers and start-ups when encouraging and facilitating the drawing up of codes of conduct.4. The Commission and the AI Office shall take into account the specific interests and needs of SMEs and start-ups when encouraging and facilitating the drawing up of codes of conduct.4. The Commission and the Member States shall take into account the specific interests and needs of SME providers, including start-ups, when encouraging and facilitating the drawing up of codes of conduct referred to in this Article.4. The Commission, the AI Office, the Board, and the Member States shall take into account the specific interests and needs of small-scale providers, SMEs, and start-ups, including SME providers, when encouraging and facilitating the drawing up of codes of conduct referred to in this Article.

TITLE X: Confidentiality and Penalties

Article 70
NumberingCommissionParliamentCouncilText proposed by the AI
Article 70Article 70
Confidentiality		Article 70
Confidentiality		Article 70
Confidentiality		Article 70
Confidentiality
Article 70 – paragraph 1 – introductory part1. National competent authorities and notified bodies involved in the application of this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:1. The Commission, national competent authorities and notified bodies, the AI Office and any other natural or legal person involved in the application of this Regulation shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular;1. National competent authorities, notified bodies, the Commission, the Board, and any other natural or legal person involved in the application of this Regulation shall, in accordance with Union or national law, put appropriate technical and organisational measures in place to ensure the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular:1. The Commission, national competent authorities, notified bodies, the AI Office, the Board, and any other natural or legal person involved in the application of this Regulation shall, in accordance with Union or national law, respect the confidentiality of information and data obtained in carrying out their tasks and activities. They shall put appropriate technical and organisational measures in place to ensure this confidentiality in such a manner as to protect, in particular:
Article 70 – paragraph 1 – point a(a) intellectual property rights, and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure apply.(a) intellectual property rights, and confidential business information or trade secrets of a natural or legal person, in accordance with the provisions of Directives 2004/48/EC and 2016/943/EC, including source code, except the cases referred to in Article 5 of Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure apply;(a) intellectual property rights, and confidential business information or trade secrets of a natural or legal person, including source code, except the cases referred to in Article 5 of Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure apply.(a) intellectual property rights, and confidential business information or trade secrets of a natural or legal person, in accordance with the provisions of Directives 2004/48/EC and 2016/943/EC, including source code, except the cases referred to in Article 5 of Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure apply.
Article 70 – paragraph 1 – point b (b) the effective implementation of this Regulation, in particular for the purpose of inspections, investigations or audits;(c) public and national security interests;(b) the effective implementation of this Regulation, in particular for the purpose of inspections, investigations or audits;(c) public and national security interests;(b) the effective implementation of this Regulation, in particular for the purpose of inspections, investigations or audits;(b) the effective implementation of this Regulation, in particular for the purpose of inspections, investigations or audits;
Article 70 – paragraph 1 – point ba [P] / point c [C] (new)(ba) public and national security interests;(c) public and national security interests;(c) public and national security interests;
Article 70 – paragraph 1 – point c / d(c) integrity of criminal or administrative proceedings.(c) integrity of criminal or administrative proceedings.(d) integrity of criminal or administrative proceedings;(c) integrity of criminal or administrative proceedings.
Article 70 – paragraph 1 – point e (new)(e) the integrity of information classified in accordance with Union or national law.None
Article 70 – paragraph 1a (new)(1a) The authorities involved in the application of this Regulation pursuant to paragraph 1 shall minimise the quantity of data requested for disclosure to the data that is strictly necessary for the perceived risk and the assessment of that risk. They shall delete the data as soon as it is no longer needed for the purpose it was requested for. They shall put in place adequate and effective cybersecurity, technical and organisational measures to protect the security and confidentiality of the information and data obtained in carrying out their tasks and activities;The authorities involved in the application of this Regulation shall limit the amount of data requested for disclosure to what is strictly necessary for assessing the perceived risk. The data should be deleted as soon as it is no longer required for the purpose it was requested for. In carrying out their tasks and activities, these authorities must implement adequate and effective cybersecurity, technical, and organisational measures to ensure the security and confidentiality of the obtained information and data.
Article 70 – paragraph 22. Without prejudice to paragraph 1, information exchanged on a confidential basis between the national competent authorities and between national competent authorities and the Commission shall not be disclosed without the prior consultation of the originating national competent authority and the user when high-risk AI systems referred to in points 1, 6 and 7 of Annex III are used by law enforcement, immigration or asylum authorities, when such disclosure would jeopardise public and national security interests.

When the law enforcement, immigration or asylum authorities are providers of high-risk AI systems referred to in points 1, 6 and 7 of Annex III, the technical documentation referred to in Annex IV shall remain within the premises of those authorities. Those authorities shall ensure that the market surveillance authorities referred to in Article 63(5) and (6), as applicable, can, upon request, immediately access the documentation or obtain a copy thereof. Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access that documentation or any copy thereof.		2. Without prejudice to paragraphs 1 and 1a, information exchanged on a confidential basis between the national competent authorities and between national competent authorities and the Commission shall not be disclosed without the prior consultation of the originating national competent authority and the deployer when high-risk AI systems referred to in points 1, 6 and 7 of Annex III are used by law enforcement, immigration or asylum authorities, when such disclosure would jeopardise public or national security.

When the law enforcement, immigration or asylum authorities are providers of high-risk AI systems referred to in points 1, 6 and 7 of Annex III, the technical documentation referred to in Annex IV shall remain within the premises of those authorities. Those authorities shall ensure that the market surveillance authorities referred to in Article 63(5) and (6), as applicable, can, upon request, immediately access the documentation or obtain a copy thereof. Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access that documentation or any copy thereof.		2. Without prejudice to paragraph 1, information exchanged on a confidential basis between the national competent authorities and between national competent authorities and the Commission shall not be disclosed without the prior consultation of the originating national competent authority and the user when high-risk AI systems referred to in points 1, 6 and 7 of Annex III are used by law enforcement, border control, immigration or asylum authorities, when such disclosure would jeopardise public and national security interests. This obligation to exchange information shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities.

When the law enforcement, immigration or asylum authorities are providers of high-risk AI systems referred to in points 1, 6 and 7 of Annex III, the technical documentation referred to in Annex IV shall remain within the premises of those authorities. Those authorities shall ensure that the market surveillance authorities referred to in Article 63(5) and (6), as applicable, can, upon request, immediately access the documentation or obtain a copy thereof. Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access that documentation or any copy thereof.		2. Without prejudice to paragraphs 1 and 1a, information exchanged on a confidential basis between the national competent authorities and between national competent authorities and the Commission shall not be disclosed without the prior consultation of the originating national competent authority and the user or deployer when high-risk AI systems referred to in points 1, 6 and 7 of Annex III are used by law enforcement, border control, immigration or asylum authorities, when such disclosure would jeopardise public or national security interests. This obligation to exchange information shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities.

When the law enforcement, border control, immigration or asylum authorities are providers of high-risk AI systems referred to in points 1, 6 and 7 of Annex III, the technical documentation referred to in Annex IV shall remain within the premises of those authorities. Those authorities shall ensure that the market surveillance authorities referred to in Article 63(5) and (6), as applicable, can, upon request, immediately access the documentation or obtain a copy thereof. Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access that documentation or any copy thereof.
Article 70 – paragraph 33. Paragraphs 1 and 2 shall not affect the rights and obligations of the Commission, Member States and notified bodies with regard to the exchange of information and the dissemination of warnings, nor the obligations of the parties concerned to provide information under criminal law of the Member States.3. Paragraphs 1, 1a and 2 shall not affect the rights and obligations of the Commission, Member States and notified bodies with regard to the exchange of information and the dissemination of warnings, nor the obligations of the parties concerned to provide information under criminal law of the Member States;3. Paragraphs 1 and 2 shall not affect the rights and obligations of the Commission, Member States and their relevant authorities, as well as notified bodies, with regard to the exchange of information and the dissemination of warnings, including in the context of cross-border cooperation, nor the obligations of the parties concerned to provide information under criminal law of the Member States.3. Paragraphs 1, 1a and 2 shall not affect the rights and obligations of the Commission, Member States, their relevant authorities, and notified bodies with regard to the exchange of information and the dissemination of warnings, including in the context of cross-border cooperation, nor the obligations of the parties concerned to provide information under criminal law of the Member States.
Article 70 – paragraph 44. The Commission and Member States may exchange, where necessary, confidential information with regulatory authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of confidentiality.4. The Commission and Member States may exchange, where strictly necessary and in accordance with relevant provisions of international and trade agreements, confidential information with regulatory authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of confidentiality.deleted 4. The Commission and Member States may exchange, where strictly necessary and in accordance with relevant provisions of international and trade agreements, confidential information with regulatory authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of confidentiality.
Article 71
Article 71 Article 71
Penalties		Article 71
Penalties		Article 71
Penalties		None
Article 71 – paragraph 11. In compliance with the terms and conditions laid down in this Regulation, Member States shall lay down the rules on penalties, including administrative fines, applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are properly and effectively implemented. The penalties provided for shall be effective, proportionate, and dissuasive. They shall take into particular account the interests of small-scale providers and start-up and their economic viability.1. In compliance with the terms and conditions laid down in this Regulation, Member States shall lay down the rules on penalties, applicable to infringements of this Regulation by any operator, and shall take all measures necessary to ensure that they are properly and effectively implemented and aligned with the guidelines issued by the Commission and the AI Office pursuant to Article 82b. The penalties provided for shall be effective, proportionate, and dissuasive. They shall take into account the interests of SMEs and start-ups and their economic viability;1. In compliance with the terms and conditions laid down in this Regulation, Member States shall lay down the rules on penalties, including administrative fines, applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are properly and effectively implemented. The penalties provided for shall be effective, proportionate, and dissuasive. They shall take into particular account the size and interests of SME providers, including start-ups, and their economic viability. They shall also take into account whether the use of the AI system is in the context of personal nonprofessional activity.In compliance with the terms and conditions laid down in this Regulation, Member States shall lay down the rules on penalties, including administrative fines, applicable to infringements of this Regulation by any operator, and shall take all measures necessary to ensure that they are properly and effectively implemented and aligned with the guidelines issued by the Commission and the AI Office pursuant to Article 82b. The penalties provided for shall be effective, proportionate, and dissuasive. They shall take into particular account the size and interests of SME providers, including start-ups, and their economic viability. They shall also take into account whether the use of the AI system is in the context of personal nonprofessional activity.
Article 71 – paragraph 22. The Member States shall notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them.2. The Member States shall notify the Commission and the Office by  [ 12 months after the date of entry into force of this Regulation] of those rules and of those measures and shall notify them, without delay, of any subsequent amendment affecting them.2. The Member States shall without delay notify the Commission of those rules and of those measures and of any subsequent amendment affecting them2. The Member States shall, without delay and by [12 months after the date of entry into force of this Regulation], notify the Commission and the Office of those rules and of those measures, and of any subsequent amendment affecting them.
Article 71 – paragraph 3 – introductory part3. The following infringements shall be subject to administrative fines of up to 30 000 000 EUR or, if the offender is company, up to 6 % of its total worldwide annual turnover for the preceding financial year, whichever is higher:3. Non compliance with the prohibition of the artificial intelligence practices referred to in Article 5 shall be subject to administrative fines of up to 40 000 000 EUR or, if the offender is a company, up to 7 % of its total worldwide annual turnover for the preceding financial year, whichever is higher:3. Non-compliance with any of the prohibitions of the artificial intelligence practices referred to in Article 5 shall be subject to administrative fines of up to 30 000 000 EUR or, if the offender is company, up to 6 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. In case of SMEs, including start-ups, these fines shall be up to 3% of their worldwide annual turnover for the preceding financial year.3. Non-compliance with any of the prohibitions of the artificial intelligence practices referred to in Article 5 shall be subject to administrative fines of up to 40 000 000 EUR or, if the offender is a company, up to 7 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. In the case of SMEs, including start-ups, these fines shall be up to 3% of their worldwide annual turnover for the preceding financial year.
Article 71 – paragraph 3 – point a(a) non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5;deleteddeletedNone
Article 71 – paragraph 3 – point b(b) non-compliance of the AI system with the requirements laid down in Article 10.deleteddeletedNone
Article 71 – paragraph 3a (new)3a. Non-compliance of the AI system with the requirements laid down in Article 10 and 13 shall be subject to administrative fines of up to EUR  20 000 000 or, if the offender is a company, up to 4% of its total worldwide annual turnover for the preceding financial year, whichever is the higher. In the event of non-compliance with the requirements set out in Articles 10 and 13, the AI system shall be subject to administrative fines of up to EUR 20 000 000 or, in the case of a company, up to 4% of its total worldwide annual turnover for the preceding financial year, whichever is the higher.
Article 71 – paragraph 44. The non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to 20 000 000 EUR or, if the offender is a company, up to 4 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.4. Non-compliance of the AI system or foundation model with any requirements or obligations under this Regulation, other than those laid down in Articles 5, 10 and 13, shall be subject to administrative fines of up to EUR 10 000 000 or, if the offender is a company, up to 2% of its total worldwide annual turnover for the preceding financial year, whichever is higher;4. Infringements of the following provisions related to operators or notified bodies, shall be subject to administrative fines of up to 20 000 000 EUR or, if the offender is a company, up to 4 % of its total worldwide annual turnover for the preceding financial year, whichever is higher:
-a) obligations of providers pursuant to Articles 4b and 4c;
a) obligations of providers pursuant to Article 16;
b) obligations for certain other persons pursuant to Article 23a;
c) obligations of authorised representatives pursuant to Article 25;
d) obligations of importers pursuant to Article 26;
e) obligations of distributors pursuant to Article 27;
f) obligations of users pursuant to Article 29, paragraphs 1 to 6a;
g) requirements and obligations of notified bodies pursuant to Article 33, 34(1), 34(3), 34(4), 34a;
h) transparency obligations for providers and users pursuant to Article 52.

In case of SMEs, including start-ups, these fines shall be up to 2% of their worldwide annual turnover for the preceding financial year.		4. Non-compliance of the AI system or foundation model with any requirements or obligations under this Regulation, other than those laid down in Articles 5, 10 and 13, and infringements of the following provisions related to operators or notified bodies, including obligations of providers pursuant to Articles 4b, 4c, and 16; obligations for certain other persons pursuant to Article 23a; obligations of authorised representatives pursuant to Article 25; obligations of importers pursuant to Article 26; obligations of distributors pursuant to Article 27; obligations of users pursuant to Article 29, paragraphs 1 to 6a; requirements and obligations of notified bodies pursuant to Article 33, 34(1), 34(3), 34(4), 34a; and transparency obligations for providers and users pursuant to Article 52, shall be subject to administrative fines of up to 20 000 000 EUR or, if the offender is a company, up to 4 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. In case of SMEs, including start-ups, these fines shall be up to 2% of their worldwide annual turnover for the preceding financial year.
Article 71 – paragraph 55. The supply of incorrect, incomplete or misleading information to notified bodies and national competent authorities in reply to a request shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is a company, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.5. The supply of incorrect, incomplete or misleading information to notified bodies and national competent authorities in reply to a request shall be subject to administrative fines of up to 5 000 000 EUR or, if the offender is a company, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.5. The supply of incorrect, incomplete or misleading information to notified bodies and national competent authorities in reply to a request shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is a company, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. In case of SMEs, including start-ups, these fines shall be up to 1% of their worldwide annual turnover for the preceding financial year.5. The supply of incorrect, incomplete or misleading information to notified bodies and national competent authorities in reply to a request shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is a company, up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. However, if the offender is a company with a turnover of up to 5 000 000 EUR, the fine shall be up to 1 % of its total worldwide annual turnover for the preceding financial year. In the case of SMEs, including start-ups, these fines shall be up to 1% of their worldwide annual turnover for the preceding financial year.
Article 71 – paragraph 6 – introductory part6. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:6. Fines may be imposed in addition to or instead of non-monetary measures such as orders or warnings. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following;6. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:6. Fines may be imposed in addition to or instead of non-monetary measures such as orders or warnings. When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:
Article 71 – paragraph 6 – point a(a) the nature, gravity and duration of the infringement and of its consequences;(a) the nature, gravity and duration of the infringement and of its consequences, taking into account the purpose of the AI system, as well as, where appropriate, the number of affected persons and the level of damage suffered by them;(a) the nature, gravity and duration of the infringement and of its consequences;(a) the nature, gravity and duration of the infringement and of its consequences, considering the purpose of the AI system, and, if applicable, the number of affected persons and the level of damage suffered by them;
Article 71 – paragraph 6 – point aa (new)(aa) the intentional or negligent character of the infringement;None
Article 71 – paragraph 6 – point ab (new)(ab) any action taken by the operator in order to remedy the infringement and mitigate the possible adverse effects of the infringement;None
Article 71 – paragraph 6 – point b(b) whether administrative fines have been already applied by other market surveillance authorities to the same operator for the same infringement.(b) whether administrative fines have been already applied by other national supervisory authorities of one or more Member States to the same operator for the same infringement;(b) whether administrative fines have been already applied by other market surveillance authorities in other Member States to the same operator for the same infringement;(b) whether administrative fines have been already applied by other market surveillance or national supervisory authorities in one or more Member States to the same operator for the same infringement;
Article 71 – paragraph 6 – point ba (new)(ba) whether administrative fines have been already applied by other authorities to the same operator for infringements of other Union or national law, when such infringements result from the same activity or omission constituting a relevant infringement of this Act;None
Article 71 – paragraph 6 – point c(c) the size and market share of the operator committing the infringement;(c) the size and annual turnover of the operator committing the infringement;(c) the size, the annual turnover and market share of the operator committing the
infringement;		(c) the size, annual turnover, and market share of the operator committing the infringement;
Article 71 – paragraph 6 – point ca (new)(ca) any action taken by the operator to mitigate the harm of damage suffered by the affected persons;Any action taken by the operator to alleviate the harm or damage suffered by the affected individuals.
Article 71 – paragraph 6 – point cb (new)(cb) the intentional or negligent character of the infringement;The infringement should be characterized by its intentional or negligent nature.
Article 71 – paragraph 6 – point cc (new)(cc) the degree of cooperation with the national competent authorities, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;The degree of cooperation with the national competent authorities should be considered, aiming to remedy the infringement and mitigate the possible adverse effects of the infringement.
Article 71 – paragraph 6 – point cd (new)(cd) the degree of responsibility of the operator taking into account the technical and organisational measures implemented by them;The operator’s degree of responsibility should be considered, taking into account the technical and organisational measures they have implemented.
Article 71 – paragraph 6 – point ce (new)/(ce) the manner in which the infringement became known to the national competent authorities, in particular whether, and if so to what extent, the operator notified the infringement;The manner in which the infringement was identified by the national competent authorities, specifically whether the operator reported the infringement and the extent of such notification.
Article 71 – paragraph 6 – point c (new)/(cf) adherence to approved codes of conduct or approved certification mechanisms;Adherence to approved codes of conduct or approved certification mechanisms.
Article 71 – paragraph 6 – point cg (new)(cg) any relevant previous infringements by the operator;Consideration of any relevant previous infringements by the operator.
Article 71 – paragraph 6 – point ch [P] / point d [C] (new)(ch) any other aggravating or mitigating factor applicable to the circumstances of the case.(d) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.(d) any other aggravating or mitigating factor applicable to the circumstances of the case, including but not limited to financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Article 71 – paragraph 77. Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.7.each Member State shall lay down rules on administrative fines to be imposed on public authorities and bodies established in that Member State;7. Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State7. Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
Article 71 – paragraph 88. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts of other bodies as applicable in those Member States. The application of such rules in those Member States shall have an equivalent effect.8. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts of other bodies as applicable in those Member States. The application of such rules in those Member States shall have an equivalent effect.8. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts or other bodies as applicable in those Member States. The application of such rules in those Member States shall have an equivalent effect.8. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts or other bodies as applicable in those Member States. The application of such rules in those Member States shall have an equivalent effect.
Article 71 – paragraph 8a (new)8a. The penalties referred to in this article as well as the associated litigation costs and indemnification claims may not be the subject of contractual clauses or other form of burden-sharing agreements between providers and distributors, importers, deployers, or any other third parties;The penalties mentioned in this article, along with the related litigation costs and indemnification claims, cannot be included in contractual clauses or any other form of burden-sharing agreements between providers, distributors, importers, deployers, or any other third parties.
Article 71 – paragraph 8b (new)8b. National supervisory authorities shall, on an annual basis, report to the AI Office about the fines they have issued during that year, in accordance with this Article;National supervisory authorities are required to submit an annual report to the AI Office, detailing the fines they have issued during that year, in accordance with this Article.
Article 71 – paragraph 8c [P] / paragraph 9 [C] (new)8c. The exercise by competent authorities of their powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and national law, including judicial remedy and due process;9. The exercise by the market surveillance authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.The exercise by the relevant authorities, including the market surveillance authority, of their powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and national/Member State law, including judicial remedy and due process.
Article 72
NumberingCommissionParliamentCouncilText proposed by the AI
Article 72Article 72
Administrative fines on Union institutions, agencies and bodies		Article 72
Administrative fines on Union institutions, agencies and bodies		Article 72
Administrative fines on Union institutions, agencies and bodies		Article 72
Administrative fines on Union institutions, agencies and bodies
Article 72 – paragraph 1 – introductory part1. The European Data Protection Supervisor may impose administrative fines on Union institutions, agencies and bodies falling within the scope of this Regulation. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:1. The European Data Protection Supervisor may impose administrative fines on Union institutions, agencies and bodies falling within the scope of this Regulation. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:1. The European Data Protection Supervisor may impose administrative fines on Union institutions, agencies and bodies falling within the scope of this Regulation. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:1. The European Data Protection Supervisor may impose administrative fines on Union institutions, agencies and bodies falling within the scope of this Regulation. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following:
Article 72 – paragraph 1 – point a(a) the nature, gravity and duration of the infringement and of its consequences;(a) the nature, gravity and duration of the infringement and of its consequences;, taking into account the purpose of the AI system concerned as well as the number of affected persons and the level of damage suffered by them, and any relevant previous infringement;(a) the nature, gravity and duration of the infringement and of its consequences;(a) the nature, gravity and duration of the infringement and of its consequences; taking into account the purpose of the AI system concerned as well as the number of affected persons and the level of damage suffered by them, and any relevant previous infringement;
Article 72 – paragraph 1 – point aa (new)(aa) any action taken by the Union institution, agency or body to mitigate the damage suffered by affected persons;Any action taken by the Union institution, agency or body to mitigate the damage suffered by affected persons.
Article 72 – paragraph 1 – point a b (new)(ab) the degree of responsibility of the Union institution, agency or body, taking into account technical and organisational measures implemented by them;The degree of responsibility of the Union institution, agency or body should be considered, taking into account the technical and organisational measures implemented by them.
Article 72 – paragraph 1 – point b(b) the cooperation with the European Data Protection Supervisor in order to remedy the infringement and mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously ordered by the European Data Protection Supervisor against the Union institution or agency or body concerned with regard to the same subject matter;(b) the degree of cooperation with the European Data Protection Supervisor in order to remedy the infringement and mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously ordered by the European Data Protection Supervisor against the Union institution or agency or body concerned with regard to the same subject matter;(b) the cooperation with the European Data Protection Supervisor in order to remedy the infringement and mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously ordered by the European Data Protection Supervisor against the Union institution or agency or body concerned with regard to the same subject matter;(b) the degree of cooperation with the European Data Protection Supervisor in order to remedy the infringement and mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously ordered by the European Data Protection Supervisor against the Union institution or agency or body concerned with regard to the same subject matter;
Article 72 – paragraph 1 – point c(c) any similar previous infringements by the Union institution, agency or body;(c) any similar previous infringements by the Union institution, agency or body;(c) any similar previous infringements by the Union institution, agency or body;(c) any similar previous infringements by the Union institution, agency or body;
Article 72 – paragraph 1 – point ca (new)(ca) the manner in which the infringement became known to the European Data Protection Supervisor, in particular whether, and if so to what extent, the Union institution or body notified the infringement;The manner in which the infringement was identified by the European Data Protection Supervisor, specifically whether, and if so to what extent, the Union institution or body reported the infringement.
Article 72 – paragraph 1 – point cb (new)(cb) the annual budget of the body;The annual budget of the body should be considered and reviewed.
Article 72 – paragraph 2 – introductory part2. The following infringements shall be subject to administrative fines of up to 500 000 EUR:2. Non compliance with the prohibition of the artificial intelligence practices referred to in Article 5 shall be subject to administrative fines of up to EUR 1 500 000.2. Non-compliance with any of the prohibitions of the artificial intelligence practices referred to in Article 5 shall be subject to administrative fines of up to 500 000 EUR.2. Non-compliance with any of the prohibitions of the artificial intelligence practices referred to in Article 5 shall be subject to administrative fines of up to EUR 1 500 000.
Article 72 – paragraph 2 – point a(a) non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5;deleteddeletedNone
Article 72 – paragraph 2 – point b(b) non-compliance of the AI system with the requirements laid down in Article 10.[deleted]deletedNone
Article 72 – paragraph 2a (new)2a. Non-compliance of the AI system with the requirements laid down in Article 10 shall be subject to administrative fines of up to 1 000 000 EUR.In the event of an AI system failing to comply with the requirements stipulated in Article 10, administrative fines of up to 1 000 000 EUR shall be imposed.
Article 72 – paragraph 33. The non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to 250 000 EUR.3. the non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to EUR 750 000. 3. Non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to 250 000 EUR.3. Non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to EUR 250 000 to 750 000.
Article 72 – paragraph 44. Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union institution, agency or body which is the subject of the proceedings conducted by the European Data Protection Supervisor the opportunity of being heard on the matter regarding the possible infringement. The European Data Protection Supervisor shall base his or her decisions only on elements and circumstances on which the parties concerned have been able to comment. Complainants, if any, shall be associated closely with the proceedings.4. Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union institution, agency or body which is the subject of the proceedings conducted by the European Data Protection Supervisor the opportunity of being heard on the matter regarding the possible infringement. The European Data Protection Supervisor shall base his or her decisions only on elements and circumstances on which the parties concerned have been able to comment. Complainants, if any, shall be associated closely with the proceedings.4. Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union institution, agency or body which is the subject of the proceedings conducted by the European Data Protection Supervisor the opportunity of being heard on the matter regarding the possible infringement. The European Data Protection Supervisor shall base his or her decisions only on elements and circumstances on which the parties concerned have been able to comment. Complainants, if any, shall be associated closely with the proceedings.4. Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union institution, agency or body which is the subject of the proceedings conducted by the European Data Protection Supervisor the opportunity of being heard on the matter regarding the possible infringement. The European Data Protection Supervisor shall base his or her decisions only on elements and circumstances on which the parties concerned have been able to comment. Complainants, if any, shall be associated closely with the proceedings.
Article 72 – paragraph 5 5. The rights of defense of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the European Data Protection Supervisor’s file, subject to the legitimate interest of individuals or undertakings in the protection of their personal data or business secrets.5. The rights of defense of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the European Data Protection Supervisor’s file, subject to the legitimate interest of individuals or undertakings in the protection of their personal data or business secrets.5. The rights of defense of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the European Data Protection Supervisor’s file, subject to the legitimate interest of individuals or undertakings in the protection of their personal data or business secrets.5. The rights of defense of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the European Data Protection Supervisor’s file, subject to the legitimate interest of individuals or undertakings in the protection of their personal data or business secrets.
Article 72 – paragraph 66. Funds collected by imposition of fines in this Article shall be the income of the general budget of the Union.6. Funds collected by imposition of fines in this Article shall contribute to the general budget of the Union. The fines shall not affect the effective operation of the Union institution, body or agency fined. 6. Funds collected by imposition of fines in this Article shall be the income of the general budget of the Union.6. Funds collected by imposition of fines in this Article shall contribute to the income of the general budget of the Union. The fines shall not affect the effective operation of the Union institution, body or agency fined.
Article 72 – paragraph 6a (new)6a. The European Data Protection Supervisor shall, on an annual basis, notify the AI Office of the fines it has imposed pursuant to this Article.The European Data Protection Supervisor shall annually inform the AI Office about the penalties imposed in accordance with this Article.

TITLE XI: Delegation of Power and Committee Procedure

Article 73
NumberingCommissionParliamentCouncilText proposed by the AI
Article 73 Article 73
Exercise of the delegation		Article 73
Exercise of the delegation		Article 73
Exercise of the delegation		Article 73
Exercise of the delegation
Article 73 – paragraph 11.The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.1.The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
Article 73 – paragraph 22. The delegation of power referred to in Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) shall be conferred on the Commission for an indeterminate period of time from [entering into force of the Regulation].2. The power to adopt delegated acts referred to in Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) shall be conferred on the Commission for a period of five years from … [the date of entry into force of the Regulation].

The Commission shall draw up a report in respect of the delegation of power not later than 9 months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. 		2. The delegation of power referred to in Article 7(1), Article 7(3), Article 11(3), Article 43(5) and (6) and Article 48(5) shall be conferred on the Commission for a period of five years from [entering into force of the Regulation].

The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the 5 year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.		2. The delegation of power referred to in Article 4, Article 7(1), Article 7(3), Article 11(3), Article 43(5) and (6) and Article 48(5) shall be conferred on the Commission for a period of five years from [entering into force of the Regulation].

The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.
Article 73 – paragraph 3 3. The delegation of power referred to in Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.3. The delegation of power referred to in Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.3. The delegation of power referred to in Article 7(1), Article 7(3), Article 11(3), Article 43(5) and (6) and Article 48(5) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.3. The delegation of power referred to in Article 4, Article 7(1), Article 7(3), Article 11(3), Article 43(5) and (6) and Article 48(5) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Article 73 – paragraph 3a (new)3a. Before adopting a delegated act, the Commission shall consult with the relevant institutions, the Office, the Advisory Forum and other relevant stakeholders in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

Once the Commission decides to draft a delegated act, it shall notify the European Parliament of this fact. This notification does not place an obligation on the Commission to adopt the said act.
Before the Commission adopts a delegated act, it is required to consult with relevant institutions, the Office, the Advisory Forum, and other relevant stakeholders in accordance with the principles established in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. Following the decision to draft a delegated act, the Commission must notify the European Parliament. However, this notification does not impose an obligation on the Commission to adopt the proposed act.
Article 73 – paragraph 4 4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
Article 73 – paragraph 5 5. Any delegated act adopted pursuant to Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.5. Any delegated act adopted pursuant to Article 4, Article 7(1), Article 11(3), Article 43(5) and (6) and Article 48(5) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.5. Any delegated act adopted pursuant to Article 7(1), Article 7(3), Article 11(3), Article 43(5) and (6) and Article 48(5) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.5. Any delegated act adopted pursuant to Article 4, Article 7(1), Article 7(3), Article 11(3), Article 43(5) and (6) and Article 48(5) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
Article 74
NumberingCommissionParliamentCouncilText proposed by the AI
Article 74Article 74
Committee procedure		Article 74
Committee procedure		Article 74
Committee procedure		None
Article 74 – paragraph 11. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
Article 74 – paragraph 22. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

TITLE XII: Final Provisions

Article 75
NumberingCommissionParliamentCouncilText proposed by the AI
Article 75 Article 75
Amendment to Regulation (EC) No 300/2008		Article 75
Amendment to Regulation (EC) No 300/2008		Article 75
Amendment to Regulation (EC) No 300/2008		Article 75
Amendment to Regulation (EC) No 300/2008
Article 75 – paragraph 1In Article 4(3) of Regulation (EC) No 300/2008, the following subparagraph is added:
“When adopting detailed measures related to technical specifications and procedures for approval and use of security equipment concerning Artificial Intelligence systems in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Chapter 2, Title III of that Regulation shall be taken into account.”
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 4(3) of Regulation (EC) No 300/2008, the following subparagraph is added:
“When adopting detailed measures related to technical specifications and procedures for approval and use of security equipment concerning Artificial Intelligence systems in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Chapter 2, Title III of that Regulation shall be taken into account.”
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 4(3) of Regulation (EC) No 300/2008, the following subparagraph is added:
“When adopting detailed measures related to technical specifications and procedures for approval
and use of security equipment concerning Artificial Intelligence systems in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Chapter 2, Title III of that Regulation shall be taken into account.”
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 4(3) of Regulation (EC) No 300/2008, the following subparagraph is added:
“When adopting detailed measures related to technical specifications and procedures for approval and use of security equipment concerning Artificial Intelligence systems in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Chapter 2, Title III of that Regulation shall be taken into account.”
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”
Article 76
NumberingCommissionParliamentCouncilText proposed by the AI
Article 76Article 76
Amendment to Regulation (EU) No 167/2013		Article 76
Amendment to Regulation (EU) No 167/2013		Article 76
Amendment to Regulation (EU) No 167/2013		Article 76
Amendment to Regulation (EU) No 167/2013
Article 76 – paragraph 1In Article 17(5) of Regulation (EU) No 167/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning artificial intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 17(5) of Regulation (EU) No 167/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning artificial intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 17(5) of Regulation (EU) No 167/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning artificial intelligence
systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 17(5) of Regulation (EU) No 167/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning artificial intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”
Article 77
NumberingCommissionParliamentCouncilText proposed by the AI
Article 77Article 77
Amendment to Regulation (EU) No 168/2013		Article 77
Amendment to Regulation (EU) No 168/2013		Article 77
Amendment to Regulation (EU) No 168/2013		Article 77
Amendment to Regulation (EU) No 168/2013
Article 77 – paragraph 1In Article 22(5) of Regulation (EU) No 168/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX on [Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 22(5) of Regulation (EU) No 168/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX on [Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 22(5) of Regulation (EU) No 168/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX on [Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”		In Article 22(5) of Regulation (EU) No 168/2013, the following subparagraph is added:
“When adopting delegated acts pursuant to the first subparagraph concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX on [Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”
Article 78
NumberingCommissionParliamentCouncilText proposed by the AI
Article 78 Article 78
Amendment to Directive 2014/90/EU		Article 78
Amendment to Directive 2014/90/EU		Article 78
Amendment to Directive 2014/90/EU		Article 78
Amendment to Directive 2014/90/EU
Article 78 – paragraph 1In Article 8 of Directive 2014/90/EU, the following paragraph is added:
“4. For Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, when carrying out its activities pursuant to paragraph 1 and when adopting technical specifications and testing standards in accordance with paragraphs 2 and 3, the Commission shall take into account the requirements set out in Title III, Chapter 2 of that Regulation.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 8 of Directive 2014/90/EU, the following paragraph is added:
“4. For Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, when carrying out its activities pursuant to paragraph 1 and when adopting technical specifications and testing standards in accordance with paragraphs 2 and 3, the Commission shall take into account the requirements set out in Title III, Chapter 2 of that Regulation.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 8 of Directive 2014/90/EU, the following paragraph is added:
“4. For Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, when carrying out its activities pursuant to paragraph 1 and when adopting technical specifications and testing standards in accordance with paragraphs 2 and 3, the Commission shall take into account the requirements set out in Title III, Chapter 2 of that Regulation.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 8 of Directive 2014/90/EU, the following paragraph is added:
“4. For Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, when carrying out its activities pursuant to paragraph 1 and when adopting technical specifications and testing standards in accordance with paragraphs 2 and 3, the Commission shall take into account the requirements set out in Title III, Chapter 2 of that Regulation.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.
Article 79
NumberingCommissionParliamentCouncilText proposed by the AI
Article 79Article 79
Amendment to Directive (EU) 2016/797		Article 79
Amendment to Directive (EU) 2016/797		Article 79
Amendment to Directive (EU) 2016/797		Article 79
Amendment to Directive (EU) 2016/797
Article 79 – paragraph 1In Article 5 of Directive (EU) 2016/797, the following paragraph is added:
“12. When adopting delegated acts pursuant to paragraph 1 and implementing acts pursuant to paragraph 11 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 5 of Directive (EU) 2016/797, the following paragraph is added:
“12. When adopting delegated acts pursuant to paragraph 1 and implementing acts pursuant to paragraph 11 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 5 of Directive (EU) 2016/797, the following paragraph is added:
“12. When adopting delegated acts pursuant to paragraph 1 and implementing acts pursuant to
paragraph 11 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 5 of Directive (EU) 2016/797, the following paragraph is added:
“12. When adopting delegated acts pursuant to paragraph 1 and implementing acts pursuant to paragraph 11 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.
Article 80
NumberingCommissionParliamentCouncilText proposed by the AI
Article 80Article 80
Amendment to Regulation (EU) 2018/858		Article 80
Amendment to Regulation (EU) 2018/858		Article 80
Amendment to Regulation (EU) 2018/858		Article 80
Amendment to Regulation (EU) 2018/858
Article 80 – paragraph 1In Article 5 of Regulation (EU) 2018/858 the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraph 3 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council *, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 5 of Regulation (EU) 2018/858 the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraph 3 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council *, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 5 of Regulation (EU) 2018/858 the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraph 3 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council *, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 5 of Regulation (EU) 2018/858 the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraph 3 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council *, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.
Article 81
NumberingCommissionParliamentCouncilText proposed by the AI
Article 81Article 81
Amendment to Regulation (EU) 2018/1139		Article 81
Amendment to Regulation (EU) 2018/1139		Article 81
Amendment to Regulation (EU) 2018/1139		Article 81
Amendment to Regulation (EU) 2018/1139
Article 81 – paragraph 1Regulation (EU) 2018/1139 is amended as follows:
(
1) In Article 17, the following paragraph is added:
“3. Without prejudice to paragraph 2, when adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”

(2) In Article 19, the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(3) In Article 43, the following paragraph is added:
“4. When adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(4) In Article 47, the following paragraph is added:
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(5) In Article 57, the following paragraph is added:
“When adopting those implementing acts concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(6) In Article 58, the following paragraph is added:
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] , the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”.		Regulation (EU) 2018/1139 is amended as follows:

(1) In Article 17, the following paragraph is added:
“3. Without prejudice to paragraph 2, when adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”

(2) In Article 19, the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(3) In Article 43, the following paragraph is added:
“4. When adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(4) In Article 47, the following paragraph is added:
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(5) In Article 57, the following paragraph is added:
“When adopting those implementing acts concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(6) In Article 58, the following paragraph is added:
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] , the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”.		Regulation (EU) 2018/1139 is amended as follows:

(1) In Article 17, the following paragraph is added:
“3. Without prejudice to paragraph 2, when adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”

(2) In Article 19, the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(3) In Article 43, the following paragraph is added:
“4. When adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence
systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(4) In Article 47, the following paragraph is added:
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(5) In Article 57, the following paragraph is added:
“When adopting those implementing acts concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(6) In Article 58, the following paragraph is added:
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] , the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”.		Regulation (EU) 2018/1139 is amended as follows:

(1) In Article 17, the following paragraph is added:
“3. Without prejudice to paragraph 2, when adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”

(2) In Article 19, the following paragraph is added:
“4. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(3) In Article 43, the following paragraph is added:
“4. When adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(4) In Article 47, the following paragraph is added:
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(5) In Article 57, the following paragraph is added:
“When adopting those implementing acts concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence], the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”

(6) In Article 58, the following paragraph is added:
“3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] , the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.”.
Article 81a (new)Article 81a
Amendment to Regulation (EU) 2019/1020

Regulation (EU) 2019/1020 is amended as follows: in Article 14(4), the following paragraph is added:

“(l). the power to implement the powers provided for in this Article remotely, where applicable;”
Article 81a
Amendment to Regulation (EU) 2019/1020

Regulation (EU) 2019/1020 is amended as follows: in Article 14(4), the following paragraph is added:

“(l). the power to implement the powers provided for in this Article remotely, where applicable;”
Article 82
NumberingCommissionParliamentCouncilText proposed by the AI
Article 82Article 82
Amendment to Regulation (EU) 2019/2144		Article 82
Amendment to Regulation (EU) 2019/2144		Article 82
Amendment to Regulation (EU) 2019/2144		Article 82
Amendment to Regulation (EU) 2019/2144
Article 82 – paragraph 1In Article 11 of Regulation (EU) 2019/2144, the following paragraph is added:
“3. When adopting the implementing acts pursuant to paragraph 2, concerning artificial intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 11 of Regulation (EU) 2019/2144, the following paragraph is added:
“3. When adopting the implementing acts pursuant to paragraph 2, concerning artificial intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 11 of Regulation (EU) 2019/2144, the following paragraph is added:
“3. When adopting the implementing acts pursuant to paragraph 2, concerning artificial intelligence
systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.		In Article 11 of Regulation (EU) 2019/2144, the following paragraph is added:
“3. When adopting the implementing acts pursuant to paragraph 2, concerning artificial intelligence systems which are safety components in the meaning of Regulation (EU) YYY/XX [on Artificial Intelligence] of the European Parliament and of the Council*, the requirements set out in Title III, Chapter 2 of that Regulation shall be taken into account.
__________
* Regulation (EU) YYY/XX [on Artificial Intelligence] (OJ …).”.
Article 82a (new)Article 82a
Better Regulation

In taking into account the requirements of this Regulation pursuant to the Amendments in Articles 75, 76, 77, 78, 79, 80, 81, and 82, the Commission shall conduct an analysis and consult relevant stakeholders to determine potential gaps as well as overlaps between existing sectoral legislation and the provisions of this Regulation.		In accordance with the amendments in Articles 75, 76, 77, 78, 79, 80, 81, and 82, the Commission shall undertake an analysis and engage with relevant stakeholders to identify potential gaps and overlaps between existing sectoral legislation and the provisions of this Regulation, thereby ensuring better regulation.
Article 82b (new)Article 82 b
Guidelines from the Commission on the implementation of this Regulation

1. The Commission shall develop, in consultation with the AI office, guidelines on the practical implementation of this Regulation, and in particular on:
(a) the application of the requirements referred to in Articles 8 – 15 and Article 28 to 28b;
(b) the prohibited practices referred to in Article 5;
(c) the practical implementation of the provisions related to substantial modification;
(d) the practical circumstances where the output of an AI system referred to in Annex III would pose a significant risk of harm to the health, safety or fundamental rights of natural persons as referred to in Article 6, paragraph 2, including examples in relation to high risk AI systems referred to in Annex III;
(e) the practical implementation of transparency obligations laid down in Article 52;
(f) the development of codes of conduct referred to in Article 69;
(g) the relationship of this Regulation with other relevant Union law, including as regards consistency in their enforcement.
(h) the practical implementation of Article 12, Article 28b on environmental impact of foundation models and Annex IV 3(b), particularly the measurement and logging methods to enable calculations and reporting of the environmental impact of systems to comply with the obligations in this Regulation, including carbon footprint and energy efficiency, taking into account state-of-the-art methods and economies of scale.

When issuing such guidelines, the Commission shall pay particular attention to the needs of SMEs including start-ups, local public authorities and sectors most likely to be affected by this Regulation.

2. Upon request of the Member States or the AI Office, or on its own initiative, the Commission shall update already adopted guidelines when deemed necessary. 		Article 82 b
Guidelines from the Commission on the implementation of this Regulation

1. The Commission, in consultation with the AI office, shall develop guidelines on the practical implementation of this Regulation, focusing on:
(a) the application of the requirements mentioned in Articles 8 – 15 and Article 28 to 28b;
(b) the prohibited practices outlined in Article 5;
(c) the practical implementation of the provisions related to substantial modification;
(d) the circumstances where the output of an AI system referred to in Annex III could pose a significant risk to the health, safety, or fundamental rights of natural persons as mentioned in Article 6, paragraph 2, including examples related to high-risk AI systems referred to in Annex III;
(e) the practical implementation of transparency obligations laid down in Article 52;
(f) the development of codes of conduct referred to in Article 69;
(g) the relationship of this Regulation with other relevant Union law, including consistency in their enforcement;
(h) the practical implementation of Article 12, Article 28b on the environmental impact of foundation models and Annex IV 3(b), particularly the measurement and logging methods to enable calculations and reporting of the environmental impact of systems to comply with the obligations in this Regulation, including carbon footprint and energy efficiency, considering state-of-the-art methods and economies of scale.

While issuing these guidelines, the Commission should pay special attention to the needs of SMEs, including start-ups, local public authorities, and sectors most likely to be affected by this Regulation.

2. The Commission, upon request from the Member States or the AI Office, or on its own initiative, shall update the already adopted guidelines when deemed necessary.
Article 83
NumberingCommissionParliamentCouncilText proposed by the AI
Article 83 – paragraph 1 – introductory part1. This Regulation shall not apply to the AI systems which are components of the large-scale IT systems established by the legal acts listed in Annex IX that have been placed on the market or put into service before [12 months after the date of application of this Regulation referred to in Article 85(2)], unless the replacement or amendment of those legal acts leads to a significant change in the design or intended purpose of the AI system or AI systems concerned.1. Operators of the AI systems which are components of the large-scale IT systems established by the legal acts listed in Annex IX that have been placed on the market or put into service prior to … [the date of entry into force of this Regulation] shall take the necessary steps to comply with the requirements laid down in this Regulation by … [four years after the date of entry into force of this Regulation].1. This Regulation shall not apply to the AI systems which are components of the large-scale IT systems established by the legal acts listed in Annex IX that have been placed on the market or put into service before [12 months after the date of application of this Regulation referred to in Article 85(2)], unless the replacement or amendment of those legal acts leads to a significant change in the design or intended purpose of the AI system or AI systems concerned.1. This Regulation shall apply to the AI systems which are components of the large-scale IT systems established by the legal acts listed in Annex IX that have been placed on the market or put into service before [12 months after the date of application of this Regulation referred to in Article 85(2)], unless the replacement or amendment of those legal acts leads to a significant change in the design or intended purpose of the AI system or AI systems concerned. Operators of these AI systems shall take the necessary steps to comply with the requirements laid down in this Regulation by … [four years after the date of entry into force of this Regulation].
Article 83 – paragraph 1 – subparagraph 1The requirements laid down in this Regulation shall be taken into account, where applicable, in the evaluation of each large-scale IT systems established by the legal acts listed in Annex IX to be undertaken as provided for in those respective acts.The requirements laid down in this Regulation shall be taken into account in the evaluation of each large-scale IT systems established by the legal acts listed in Annex IX to be undertaken as provided for in those respective acts and whenever those legal acts are replaced or amended.The requirements laid down in this Regulation shall be taken into account, where applicable, in the evaluation of each large-scale IT systems established by the legal acts listed in Annex IX to be undertaken as provided for in those respective acts.The requirements laid down in this Regulation shall be taken into account, where applicable, in the evaluation of each large-scale IT systems established by the legal acts listed in Annex IX to be undertaken as provided for in those respective acts and whenever those legal acts are replaced or amended.
Article 83 – paragraph 22. This Regulation shall apply to the high-risk AI systems, other than the ones referred to in paragraph 1, that have been placed on the market or put into service before [date of application of this Regulation referred to in Article 85(2)], only if, from that date, those systems are subject to significant changes in their design or intended purpose.2. This Regulation shall apply to operators of high-risk AI systems, other than the ones referred to in paragraph 1, that have been placed on the market or put into service before [date of application of this Regulation referred to in Article 85(2)], only if, from that date, those systems are subject to substantial modifications as defined in Article 3(23). In the case of high-risk AI systems intended to be used by public authorities, providers and deployers of such systems shall take the necessary steps to comply with the requirements of the present Regulation [two years after the date of entry into force of this Regulation].2. This Regulation shall apply to the high-risk AI systems, other than the ones referred to in paragraph 1, that have been placed on the market or put into service before [date of application of this Regulation referred to in Article 85(2)], only if, from that date, those systems are subject to significant changes in their design or intended purpose.2. This Regulation shall apply to operators of high-risk AI systems, other than the ones referred to in paragraph 1, that have been placed on the market or put into service before [date of application of this Regulation referred to in Article 85(2)], only if, from that date, those systems are subject to significant changes in their design or intended purpose or substantial modifications as defined in Article 3(23). In the case of high-risk AI systems intended to be used by public authorities, providers and deployers of such systems shall take the necessary steps to comply with the requirements of the present Regulation [two years after the date of entry into force of this Regulation].
Article 84
NumberingCommissionParliamentCouncilText proposed by the AI
Article 84Article 84
Evaluation and review		Article 84
Evaluation and review		Article 84
Evaluation and review		None
Article 84 – paragraph 11. The Commission shall assess the need for amendment of the list in Annex III once a year following the entry into force of this Regulation.1. After consulting the AI Office, the Commission shall assess the need for amendment of the list in Annex III, including the extension of existing area headings or addition of new area headings in that Annex the list of prohibited AI practices in Article 5, and the list of AI systems requiring additional transparency measures in Article 52 once a year following the entry into force of this Regulation and following a recommendation of the Office.
The Commission shall submit the findings of that assessment to the European Parliament and the Council.		1b. The Commission shall assess the need for amendment of the list in Annex III every 24 months following the entry into force of this Regulation and until the end of the period of the delegation of power. The findings of that assessment shall be presented to the European Parliament and the Council.1. Following consultation with the AI Office and after the entry into force of this Regulation, the Commission shall assess the need for amendment of the list in Annex III, including the extension of existing area headings or addition of new area headings in that Annex, the list of prohibited AI practices in Article 5, and the list of AI systems requiring additional transparency measures in Article 52. This assessment shall be conducted once a year for the first two years and thereafter every 24 months until the end of the period of the delegation of power. The findings of that assessment shall be submitted to the European Parliament and the Council.
Article 84 – paragraph 22. By [three years after the date of application of this Regulation referred to in Article 85(2)] and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.2. By … [two years after the date of application of this Regulation referred to in Article 85(2)] and every two years thereafter, the Commission, together with the AI office, shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.2. By [three years after the date of application of this Regulation referred to in Article 85(2)] and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.2. By [two years after the date of application of this Regulation referred to in Article 85(2)] and every four years thereafter, the Commission, together with the AI office, shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.
Article 84 – paragraph 3 – introductory part3. The reports referred to in paragraph 2 shall devote specific attention to the following:3. The reports referred to in paragraph 2 shall devote specific attention to the following:3. The reports referred to in paragraph 2 shall devote specific attention to the following:3. The reports referred to in paragraph 2 shall devote specific attention to the following:
Article 84 – paragraph 3 – point a(a) the status of the financial and human resources of the national competent authorities in order to effectively perform the tasks assigned to them under this Regulation;(a) the status of the financial, technical and human resources of the national competent authorities in order to effectively perform the tasks assigned to them under this Regulation;(a) the status of the financial resources, technical equipment and human resources of the national competent authorities in order to effectively perform the tasks assigned to them under this Regulation;(a) the status of the financial resources, technical equipment, and human resources of the national competent authorities in order to effectively perform the tasks assigned to them under this Regulation;
Article 84 – paragraph 3 – point b(b) the state of penalties, and notably administrative fines as referred to in Article 71(1), applied by Member States to infringements of the provisions of this Regulation.(b) the state of penalties, and notably administrative fines as referred to in Article 71(1), applied by Member States to infringements of the provisions of this Regulation.(b) the state of penalties, and notably administrative fines as referred to in Article 71(1), applied by Member States to infringements of the provisions of this Regulation.(b) the state of penalties, and notably administrative fines as referred to in Article 71(1), applied by Member States to infringements of the provisions of this Regulation.
Article 84 – paragraph 3 – point ba (new)(ba) the level of the development of harmonised standards and common specifications for Artificial Intelligence;The development level of harmonised standards and common specifications for Artificial Intelligence.
Article 84 – paragraph 3 – point bb (new)(bb) the levels of investments in research, development and application of AI systems throughout the Union;The levels of investments in research, development, and application of AI systems throughout the Union should be evaluated and enhanced.
Article 84 – paragraph 3 – point bc (new)(bc) the competitiveness of the aggregated European AI sector compared to AI sectors in third countries;The proposal focuses on evaluating the competitiveness of the consolidated European AI sector in comparison to AI sectors in third countries.
Article 84 – paragraph 3 – point bd (new)(bd) the impact of the Regulation with regards to the resource and energy use, as well as waste production and other environmental impact;The impact of the Regulation concerning the utilization of resources and energy, along with the production of waste and other environmental impacts.
Article 84 – paragraph 3 – point be (new)(be) the implementation of the coordinated plan on AI, taking into account the different level of progress among Member States and identifying existing barriers to innovation in AI;Implement the coordinated plan on AI, considering the varying levels of progress among Member States and identifying existing barriers to innovation in AI.
Article 84 – paragraph 3 – point bf (new)(bf) the update of the specific requirements regarding the sustainability of AI systems and foundation models, building on the reporting and documentation requirement in Annex IV and in Article 28b;The update of the specific requirements concerning the sustainability of AI systems and foundation models, with a focus on the reporting and documentation requirement as outlined in Annex IV and in Article 28b.
Article 84 – paragraph 3 – point bg (new)(bg) the legal regime governing foundation models;The establishment of a legal framework governing foundation models.
Article 84 – paragraph 3 – point bh (new)(bh) the list of unfair contractual terms within Article 28a taking into account new business practices if necessary;The list of unfair contractual terms within Article 28a should be updated, taking into account new business practices if necessary.
Article 84 – paragraph 3a (new)3a. By … [two years after the date of entry into application of this Regulation referred to in Article 85(2)] the Commission shall evaluate the functioning of the AI office, whether the office has been given sufficient powers and competences to fulfil its tasks and whether it would be relevant and needed for the proper implementation and enforcement of this Regulation to upgrade the Office and its enforcement competences and to increase its resources. The Commission shall submit this evaluation report to the European Parliament and to the Council.By [two years after the date of entry into application of this Regulation referred to in Article 85(2)], the Commission shall conduct an evaluation of the AI office. This evaluation will assess the effectiveness of the office, its powers and competences, and its ability to fulfil its tasks. The Commission will also consider whether it would be beneficial and necessary for the proper implementation and enforcement of this Regulation to enhance the Office and its enforcement competences and to augment its resources. The Commission shall present this evaluation report to the European Parliament and to the Council.
Article 84 – paragraph 44. Within [three years after the date of application of this Regulation referred to in Article 85(2)] and every four years thereafter, the Commission shall evaluate the impact and effectiveness of codes of conduct to foster the application of the requirements set out in Title III, Chapter 2 and possibly other additional requirements for AI systems other than high-risk AI systems.4. Within … [one year after the date of application of this Regulation referred to in Article 85(2)] and every two years thereafter, the Commission shall evaluate the impact and effectiveness of codes of conduct to foster the application of the requirements set out in Title III, Chapter 2 and possibly other additional requirements for AI systems other than high-risk AI systems;4. Within [three years after the date of application of this Regulation referred to in Article 85(2)] and every four years thereafter, where appropriate, the Commission shall evaluate the impact and effectiveness of voluntary codes of conduct to foster the application of the requirements set out in Title III, Chapter 2 for AI systems other than high-risk AI systems and possibly other additional requirements for AI systems, including as regards environmental sustainability.4. Within [one year after the date of application of this Regulation referred to in Article 85(2)] and every two years thereafter, where appropriate, the Commission shall evaluate the impact and effectiveness of codes of conduct, including voluntary ones, to foster the application of the requirements set out in Title III, Chapter 2 and possibly other additional requirements for AI systems other than high-risk AI systems, including as regards environmental sustainability.
Article 84 – paragraph 55. For the purpose of paragraphs 1 to 4 the Board, the Member States and national competent authorities shall provide the Commission with information on its request.5. For the purpose of paragraphs 1 to 4 the AI Office, the Member States and national competent authorities shall provide the Commission with information on its request without undue delay.5. For the purpose of paragraphs 1a to 4 the Board, the Member States and national competent authorities shall provide the Commission with information on its request.5. For the purpose of paragraphs 1 to 4, the Board/AI Office, the Member States and national competent authorities shall provide the Commission with information on its request without undue delay.
Article 84 – paragraph 66. In carrying out the evaluations and reviews referred to in paragraphs 1 to 4 the Commission shall take into account the positions and findings of the Board, of the European Parliament, of the Council, and of other relevant bodies or sources.6. in carrying out the evaluations and reviews referred to in paragraphs 1 to 4 the Commission shall take into account the positions and findings of the -AI Office of the European Parliament, of the Council, and of other relevant bodies or sources and shall consult relevant stakeholders. The result of such consultation shall be attached to the report;6. In carrying out the evaluations and reviews referred to in paragraphs 1a to 4 the Commission shall take into account the positions and findings of the Board, of the European Parliament, of the Council, and of other relevant bodies or sources.6. In carrying out the evaluations and reviews referred to in paragraphs 1 to 4, the Commission shall take into account the positions and findings of the Board, of the AI Office of the European Parliament, of the Council, and of other relevant bodies or sources, and shall consult relevant stakeholders. The result of such consultation shall be attached to the report.
Article 84 – paragraph 77. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account developments in technology and in the light of the state of progress in the information society.7. the Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account developments in technology, the effect of AI systems on health and safety, fundamental rights, the environment, equality, and accessibility for persons with disabilities, democracy and rule of law and in the light of the state of progress in the information society.7. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account developments in technology and in the light of the state of progress in the information society.7. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account developments in technology, the effect of AI systems on health and safety, fundamental rights, the environment, equality, and accessibility for persons with disabilities, democracy and rule of law and in the light of the state of progress in the information society.
Article 84 – paragraph 7a (new)7a. To guide the evaluations and reviews referred to in paragraphs 1 to 4 of this Article, the Office shall undertake to develop an objective and participative methodology for the evaluation of risk level based on the criteria outlined in the relevant articles and inclusion of new systems in: the list in Annex III, including the extension of existing area headings or addition of new area headings in that Annex; the list of prohibited practices laid down in Article 5; and the list of AI systems requiring additional transparency measures pursuant to Article 52.The Office shall undertake the development of an objective and participative methodology to guide the evaluations and reviews mentioned in paragraphs 1 to 4 of this Article. This methodology will be based on the criteria outlined in the relevant articles and will include the incorporation of new systems into: the list in Annex III, which may involve the extension of existing area headings or the addition of new area headings in that Annex; the list of prohibited practices as defined in Article 5; and the list of AI systems that require additional transparency measures in accordance with Article 52.
Article 84 – paragraph 7b (new)7b. Any amendment to this Regulation pursuant to paragraph 7 of this Article, or relevant future delegated or implementing acts, which concern sectoral legislation listed in Annex II Ssection B, shall take into account the regulatory specificities of each sector, and existing governance, conformity assessment and enforcement mechanisms and authorities established therein.Any amendment to this Regulation pursuant to paragraph 7 of this Article, or relevant future delegated or implementing acts, which concern sectoral legislation listed in Annex II Section B, shall take into account the regulatory specificities of each sector, and existing governance, conformity assessment and enforcement mechanisms and authorities established therein.
Article 84 – paragraph 7c (new)7c. By … [five years from the date of application of this Regulation], the Commission shall carry out an assessment of the enforcement of this Regulation and shall report it to the European Parliament, the Council and the European Economic and Social Committee, taking into account the first years of application of the Regulation. On the basis of the findings that report shall, where appropriate, be accompanied by a proposal for amendment of this Regulation with regard to the structure of enforcement and the need for an Union agency to resolve any identified shortcomings.By no later than five years from the date of application of this Regulation, an assessment of the enforcement of this Regulation shall be carried out by the Commission. This assessment will take into account the initial years of the Regulation’s application. The findings of this assessment will be reported to the European Parliament, the Council, and the European Economic and Social Committee. If deemed necessary based on the findings, the report will be accompanied by a proposal for amendment of this Regulation. This amendment proposal will specifically address the structure of enforcement and consider the establishment of a Union agency to rectify any identified shortcomings.
Article 85
NumberingCommissionParliamentCouncilText proposed by the AI
Article 85Article 85
Entry into force and application		Article 85
Entry into force and application		Article 85
Entry into force and application		Article 85
Entry into force and application
Article 85 – paragraph 11.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Article 85 – paragraph 22.This Regulation shall apply from [24 months following the entering into force of the Regulation].2.This Regulation shall apply from [24 months following the entering into force of the Regulation].2. This Regulation shall apply from [36 months following the entering into force of the Regulation].2. This Regulation shall apply from [24 to 36 months following the entering into force of the Regulation].
Article 85 – paragraph 33.By way of derogation from paragraph 2:
(a)Title III, Chapter 4 and Title VI shall apply from [three months following the entry into force of this Regulation];
(b)Article 71 shall apply from [twelve months following the entry into force of this Regulation].		3.By way of derogation from paragraph 2:
(a)Title III, Chapter 4 and Title VI shall apply from [three months following the entry into force of this Regulation];
(b)Article 71 shall apply from [twelve months following the entry into force of this Regulation].		3. By way of derogation from paragraph 2:
(a) Title III, Chapter 4 and Title VI shall apply from [twelve months following the entry into force of this Regulation];
(b) Article 71 shall apply from [twelve months following the entry into force of this Regulation].		3. By way of derogation from paragraph 2:
(a) Title III, Chapter 4 and Title VI shall apply from [three months following the entry into force of this Regulation];
(b) Article 71 shall apply from [twelve months following the entry into force of this Regulation].
Article 85 – finalThis Regulation shall be binding in its entirety and directly applicable in all Member States.This Regulation shall be binding in its entirety and directly applicable in all Member States.This Regulation shall be binding in its entirety and directly applicable in all Member States.This Regulation shall be binding in its entirety and directly applicable in all Member States.

ANNEXES

Annex I
NumberingCommissionParliamentCouncilText proposed by the AI
Annex I – points a–c(a) Machine learning approaches, including supervised, unsupervised and reinforcement learning, using a wide variety of methods including deep learning;
(b) Logic- and knowledge-based approaches, including knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning and expert systems;
(c) Statistical approaches, Bayesian estimation, search and optimization methods.		deleteddeletedThe proposal includes the following approaches to machine learning: supervised, unsupervised, and reinforcement learning, utilizing a wide array of methods such as deep learning. It also encompasses logic- and knowledge-based approaches, which include knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning, and expert systems. Additionally, the proposal includes statistical approaches, Bayesian estimation, and search and optimization methods.
Annex II
NumberingCommissionParliamentCouncilText proposed by the AI
ANNEX IIANNEX II
LIST OF UNION HARMONISATION LEGISLATION
ANNEX II
LIST OF UNION HARMONISATION LEGISLATION
ANNEX II
LIST OF UNION HARMONISATION LEGISLATION
ANNEX II
LIST OF UNION HARMONISATION LEGISLATION
Annex II – Section ASection A – List of Union harmonisation legislation based on the New Legislative Framework

1.Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (OJ L 157, 9.6.2006, p. 24) [as repealed by the Machinery Regulation];

2.Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1);

3.Directive 2013/53/EU of the European Parliament and of the Council of 20 November 2013 on recreational craft and personal watercraft and repealing Directive 94/25/EC (OJ L 354, 28.12.2013, p. 90);

4.Directive 2014/33/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to lifts and safety components for lifts (OJ L 96, 29.3.2014, p. 251);

5.Directive 2014/34/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to equipment and protective systems intended for use in potentially explosive atmospheres (OJ L 96, 29.3.2014, p. 309);

6.Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62);

7.Directive 2014/68/EU of the European Parliament and of the Council of 15 May 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of pressure equipment (OJ L 189, 27.6.2014, p. 164);

8.Regulation (EU) 2016/424 of the European Parliament and of the Council of 9 March 2016 on cableway installations and repealing Directive 2000/9/EC (OJ L 81, 31.3.2016, p. 1);

9.Regulation (EU) 2016/425 of the European Parliament and of the Council of 9 March 2016 on personal protective equipment and repealing Council Directive 89/686/EEC (OJ L 81, 31.3.2016, p. 51);

10.Regulation (EU) 2016/426 of the European Parliament and of the Council of 9 March 2016 on appliances burning gaseous fuels and repealing Directive 2009/142/EC (OJ L 81, 31.3.2016, p. 99);

11.Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1;

12.Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).

Section A – List of Union harmonisation legislation based on the New Legislative Framework

1.Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (OJ L 157, 9.6.2006, p. 24) [as repealed by the Machinery Regulation];

2.Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1);

3.Directive 2013/53/EU of the European Parliament and of the Council of 20 November 2013 on recreational craft and personal watercraft and repealing Directive 94/25/EC (OJ L 354, 28.12.2013, p. 90);

4.Directive 2014/33/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to lifts and safety components for lifts (OJ L 96, 29.3.2014, p. 251);

5.Directive 2014/34/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to equipment and protective systems intended for use in potentially explosive atmospheres (OJ L 96, 29.3.2014, p. 309);

6.Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62);

7.Directive 2014/68/EU of the European Parliament and of the Council of 15 May 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of pressure equipment (OJ L 189, 27.6.2014, p. 164);

8.Regulation (EU) 2016/424 of the European Parliament and of the Council of 9 March 2016 on cableway installations and repealing Directive 2000/9/EC (OJ L 81, 31.3.2016, p. 1);

9.Regulation (EU) 2016/425 of the European Parliament and of the Council of 9 March 2016 on personal protective equipment and repealing Council Directive 89/686/EEC (OJ L 81, 31.3.2016, p. 51);

10.Regulation (EU) 2016/426 of the European Parliament and of the Council of 9 March 2016 on appliances burning gaseous fuels and repealing Directive 2009/142/EC (OJ L 81, 31.3.2016, p. 99);

11.Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1;

12.Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).

Section A – List of Union harmonisation legislation based on the New Legislative Framework

1. Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (OJ L 157, 9.6.2006, p. 24) [as repealed by the Machinery Regulation];

2. Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1);

3. Directive 2013/53/EU of the European Parliament and of the Council of 20 November 2013 on recreational craft and personal watercraft and repealing Directive 94/25/EC (OJ L 354, 28.12.2013, p. 90);

4. Directive 2014/33/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to lifts and safety components for lifts (OJ L 96, 29.3.2014, p. 251);

5. Directive 2014/34/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to equipment and protective systems intended for use in potentially explosive atmospheres (OJ L 96, 29.3.2014, p. 309);

6. Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62);

7. Directive 2014/68/EU of the European Parliament and of the Council of 15 May 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of pressure equipment (OJ L 189, 27.6.2014, p. 164);

8. Regulation (EU) 2016/424 of the European Parliament and of the Council of 9 March 2016 on cableway installations and repealing Directive 2000/9/EC (OJ L 81, 31.3.2016, p. 1);

9. Regulation (EU) 2016/425 of the European Parliament and of the Council of 9 March 2016 on personal protective equipment and repealing Council Directive 89/686/EEC (OJ L 81, 31.3.2016, p. 51);

10. Regulation (EU) 2016/426 of the European Parliament and of the Council of 9 March 2016 on appliances burning gaseous fuels and repealing Directive 2009/142/EC (OJ L 81, 31.3.2016, p. 99);

11. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1;

12. Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).
Section A – List of Union harmonisation legislation based on the New Legislative Framework

1.Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (OJ L 157, 9.6.2006, p. 24) [as repealed by the Machinery Regulation];

2.Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1);

3.Directive 2013/53/EU of the European Parliament and of the Council of 20 November 2013 on recreational craft and personal watercraft and repealing Directive 94/25/EC (OJ L 354, 28.12.2013, p. 90);

4.Directive 2014/33/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to lifts and safety components for lifts (OJ L 96, 29.3.2014, p. 251);

5.Directive 2014/34/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to equipment and protective systems intended for use in potentially explosive atmospheres (OJ L 96, 29.3.2014, p. 309);

6.Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62);

7.Directive 2014/68/EU of the European Parliament and of the Council of 15 May 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of pressure equipment (OJ L 189, 27.6.2014, p. 164);

8.Regulation (EU) 2016/424 of the European Parliament and of the Council of 9 March 2016 on cableway installations and repealing Directive 2000/9/EC (OJ L 81, 31.3.2016, p. 1);

9.Regulation (EU) 2016/425 of the European Parliament and of the Council of 9 March 2016 on personal protective equipment and repealing Council Directive 89/686/EEC (OJ L 81, 31.3.2016, p. 51);

10.Regulation (EU) 2016/426 of the European Parliament and of the Council of 9 March 2016 on appliances burning gaseous fuels and repealing Directive 2009/142/EC (OJ L 81, 31.3.2016, p. 99);

11.Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1;

12.Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176).
Annex II – Section BSection B. List of other Union harmonisation legislation

1.Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).

2.Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52);

3.Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1);

4.Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146);

5.Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44).

6.Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1); 3. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1);

7.Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1), in so far as the design, production and placing on the market of aircrafts referred to in points (a) and (b) of Article 2(1) thereof, where it concerns unmanned aircraft and their engines, propellers, parts and equipment to control them remotely, are concerned.		Section B. List of other Union harmonisation legislation

1.Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).

2.Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52);

3.Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1);

4.Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146);

5.Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44).

6.Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1); 3. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1);

7.Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1), in so far as the design, production and placing on the market of aircrafts referred to in points (a) and (b) of Article 2(1) thereof, where it concerns unmanned aircraft and their engines, propellers, parts and equipment to control them remotely, are concerned.		Section B. List of other Union harmonisation legislation

1.Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).

2.Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52);

3.Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1);

4.Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146);

5.Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44).

6.Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1); 3. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1);

7.Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1), in so far as the design, production and placing on the market of aircrafts referred to in points (a) and (b) of Article 2(1) thereof, where it concerns unmanned aircraft and their engines, propellers, parts and equipment to control them remotely, are concerned.		Section B. List of other Union harmonisation legislation

1.Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).

2.Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52);

3.Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1);

4.Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146);

5.Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44).

6.Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1); 3. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1);

7.Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1), in so far as the design, production and placing on the market of aircrafts referred to in points (a) and (b) of Article 2(1) thereof, where it concerns unmanned aircraft and their engines, propellers, parts and equipment to control them remotely, are concerned.
Annex III
NumberingCommissionParliamentCouncilText proposed by the AI
ANNEX IIIANNEX III
HIGH-RISK AI SYSTEMS REFERRED TO IN ARTICLE 6(2)		ANNEX III
HIGH-RISK AI SYSTEMS REFERRED TO IN ARTICLE 6(2)		ANNEX III
HIGH-RISK AI SYSTEMS REFERRED TO IN ARTICLE 6(3)		ANNEX III
HIGH-RISK AI SYSTEMS REFERRED TO IN ARTICLE 6(2) AND 6(3)
Annex III – paragraph 1 – introductory partHigh-risk AI systems pursuant to Article 6(2) are the AI systems listed in any of the following areas:The AI systems specifically refered to in under points 1 to 8a stand for critical use cases and are each considered to be high-risk AI systems pursuant to Article 6(2), provided that they fulfil the criteria set out in that Article:In each of the areas listed under points 1-8, the AI systems specifically mentioned under each letter are considered to be high-risk AI systems pursuant to Article 6(3):The AI systems listed under points 1 to 8a in the following areas are considered to be high-risk AI systems pursuant to Article 6(2) and Article 6(3), provided they fulfil the criteria set out in these Articles. These systems represent critical use cases and are specifically referred to in each respective point.
Annex III – paragraph 1 – point 1 – introductory part1. Biometric identification and categorisation of natural persons:1. Biometric and biometrics-based systems 1. Biometrics:1. Biometric Identification, Categorisation and Systems for Natural Persons:
Annex III – paragraph 1 – point 1 – point a(a) AI systems intended to be used for the ‘real-time’ and ‘post’ remote biometric identification of natural persons;(a) AI systems intended to be used for biometric identification of natural persons, with the exception of those mentioned in Article 5;(a) Remote biometric identification systems(a) AI systems intended for the remote biometric identification of natural persons in real-time and post, excluding those mentioned in Article 5.
Annex III – paragraph 1 – point 1 – point aa (new)(aa) AI systems intended to be used to make inferences about personal characteristics of natural persons on the basis of biometric or biometrics-based data, including emotion recognition systems, with the exception of those mentioned in Article 5; Point 1 shall not include AI systems intended to be used for biometric verification whose sole purpose is to confirm that a specific natural person is the person he or she claims to be. The AI systems intended to make inferences about personal characteristics of natural persons based on biometric or biometrics-based data, including emotion recognition systems, are to be considered, excluding those mentioned in Article 5; Point 1. However, this does not encompass AI systems used for biometric verification, which are solely used to confirm the identity of a specific natural person as the person they claim to be.
Annex III – paragraph 1 – point 2 – introductory part2. Management and operation of critical infrastructure:2. Management and operation of critical infrastructure:2. Critical infrastructure:2. Management, Operation, and Considerations of Critical Infrastructure:
Annex III – paragraph 1 – point 2 – point a(a) AI systems intended to be used as safety components in the management and operation of road traffic and the supply of water, gas, heating and electricity.(a) AI systems intended to be used as safety components in the management and operation of road, rail and air traffic unless they are regulated in harmonisation or sectoral law.(a) AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic and the supply of water, gas, heating and electricity.(a) AI systems intended to be used as safety components in the management and operation of road traffic, rail and air traffic, critical digital infrastructure, and the supply of water, gas, heating and electricity, unless they are regulated in harmonisation or sectoral law.
Annex III – paragraph 1 – point 2 – point aa (new)(aa) AI systems intended to be used as safety components in the management and operation of the supply of water, gas, heating, electricity and critical digital infrastructure;AI systems intended to be used as safety components in the management and operation of the supply of water, gas, heating, electricity and critical digital infrastructure.
Annex III – paragraph 1 – point 3 – introductory part3 .Education and vocational training:3 .Education and vocational training:3. Education and vocational training:None
Annex III – paragraph 1 – point 3 – point a(a) AI systems intended to be used for the purpose of determining access or assigning natural persons to educational and vocational training institutions;(a) AI systems intended to be used for the purpose of determining access or materially influence decisions on admission or assigning natural persons to educational and vocational training institutions;(a) AI systems intended to be used to determine access, admission or to assign natural persons to educational and vocational training institutions or programmes at all levels;(a) AI systems intended to be used for the purpose of determining access, admission or materially influence decisions on assigning natural persons to educational and vocational training institutions or programmes at all levels;
Annex III – paragraph 1 – point 3 – point b(b) AI systems intended to be used for the purpose of assessing students in educational and vocational training institutions and for assessing participants in tests commonly required for admission to educational institutions.(b) AI systems intended to be used for the purpose of assessing students in educational and vocational training institutions and for assessing participants in tests commonly required for admission to those institutions;(b) AI systems intended to be used to evaluate learning outcomes, including when those outcomes are used to steer the learning process of natural persons in educational and vocational training institutions or programmes at all levels.(b) AI systems intended to be used for the purpose of assessing and evaluating learning outcomes of students and participants in tests commonly required for admission to educational and vocational training institutions or programmes at all levels, including when those outcomes are used to steer the learning process.
Annex III – paragraph 1 – point 3 – point ba (new)(ba) AI systems intended to be used for the purpose of assessing the appropriate level of education for an individual and materially influencing the level of education and vocational training that individual will receive or will be able to access;AI systems designed to evaluate and significantly influence the suitable level of education and vocational training an individual should receive or have access to.
Annex III – paragraph 1 – point 3 – point bb (new)(bb) AI systems intended to be used for monitoring and detecting prohibited behaviour of students during tests in the context of/within education and vocational training institutions;(bb) AI systems designed for monitoring and identifying prohibited behaviour of students during examinations within the scope of educational and vocational training institutions;
Annex III – paragraph 1 – point 4 – introductory part4. Employment, workers management and access to self-employment:4. Employment, workers management and access to self-employment:4. Employment, workers management and access to self-employment:4. Employment, workers management and access to self-employment:
Annex III – paragraph 1 – point 4 – point a(a) AI systems intended to be used for recruitment or selection of natural persons, notably for advertising vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests;(a) AI systems intended to be used for recruitment or selection of natural persons, notably for placing targeted job advertisements screening or filtering applications, evaluating candidates in the course of interviews or tests;(a) AI systems intended to be used for recruitment or selection of natural persons, notably to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates;(a) AI systems intended to be used for recruitment or selection of natural persons, notably for advertising vacancies, placing targeted job advertisements, screening or filtering applications, analysing and filtering job applications, and evaluating candidates in the course of interviews or tests;
Annex III – paragraph 1 – point 4 – point b(b) AI intended to be used for making decisions on promotion and termination of work-related contractual relationships, for task allocation and for monitoring and evaluating performance and behavior of persons in such relationships.(b) AI systems intended to be used to make or materially influence decisions affecting the initiation, promotion and termination of work-related contractual relationships, task allocation based on individual behaviour or personal traits or characteristics, or for monitoring and evaluating performance and behavior of persons in such relationships;(b) AI intended to be used to make decisions on promotion and termination of workrelated contractual relationships, to allocate tasks based on individual behavior or personal traits or characteristics and to monitor and evaluate performance and behavior of persons in such relationships.(b) AI systems intended to be used to make or materially influence decisions on the initiation, promotion and termination of work-related contractual relationships, for task allocation based on individual behavior or personal traits or characteristics, and for monitoring and evaluating performance and behavior of persons in such relationships.
Annex III – paragraph 1 – point 5 – introductory part5. Access to and enjoyment of essential private services and public services and benefits:5. Access to and enjoyment of essential private services and public services and benefits:5. Access to and enjoyment of essential private services and essential public services and benefits:5. Access to and enjoyment of essential private services and essential public services and benefits.
Annex III – paragraph 1 – point 5 – point a(a) AI systems intended to be used by public authorities or on behalf of public authorities to evaluate the eligibility of natural persons for public assistance benefits and services, as well as to grant, reduce, revoke, or reclaim such benefits and services;(a) AI systems intended to be used by or on behalf of public authorities to evaluate the eligibility of natural persons for public assistance benefits and services, including healthcare services and essential services, including but not limited to housing, electricity, heating/cooling and internet, as well as to grant, reduce, revoke, increase or reclaim such benefits and services;(a) AI systems intended to be used by public authorities or on behalf of public authorities to evaluate the eligibility of natural persons for essential public assistance benefits and services, as well as to grant, reduce, revoke, or reclaim such benefits and services;(a) AI systems intended to be used by or on behalf of public authorities to evaluate the eligibility of natural persons for essential public assistance benefits and services, including healthcare services and essential services such as housing, electricity, heating/cooling and internet, as well as to grant, reduce, revoke, increase or reclaim such benefits and services;
Annex III – paragraph 1 – point 5 – point b(b) AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems put into service by small scale providers for their own use;(b) AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score , with the exception of AI systems used for the purpose of detecting financial fraud;(b) AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems put into service by providers that are micro and small-sized enterprises as defined in the Annex of Commission Recommendation 2003/361/EC for their own use;(b) AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems put into service by small scale providers or micro and small-sized enterprises as defined in the Annex of Commission Recommendation 2003/361/EC for their own use, and AI systems used for the purpose of detecting financial fraud;
Annex III – paragraph 1 – point 5 – point ba (new)(ba) AI systems intended to be used for making decisions or materially influencing decisions on the eligibility of natural persons for health and life insurance;AI systems intended to be used for making decisions or materially influencing decisions on the eligibility of natural persons for health and life insurance.
Annex III – paragraph 1 – point 5 – point c(c) AI systems intended to be used to dispatch, or to establish priority in the dispatching of emergency first response services, including by firefighters and medical aid.(c) AI systems intended to evaluate and classify emergency calls by natural persons or to be used to dispatch, or to establish priority in the dispatching of emergency first response services, including by police and law enforcement, firefighters and medical aid, as well as of emergency healthcare patient triage systems;(c) AI systems intended to be used to dispatch, or to establish priority in the dispatching of emergency first response services, including by firefighters and medical aid;(c) AI systems intended to evaluate and classify emergency calls by natural persons or to be used to dispatch, or to establish priority in the dispatching of emergency first response services, including by police and law enforcement, firefighters and medical aid, as well as of emergency healthcare patient triage systems;
Annex III – paragraph 1 – point 5 – point d (new)(d) AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance with the exception of AI systems put into service by providers that are micro and small-sized enterprises as defined in the Annex of Commission Recommendation 2003/361/EC for their own use.(d) AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance, excluding AI systems put into service by providers that are micro and small-sized enterprises as defined in the Annex of Commission Recommendation 2003/361/EC for their own use.
Annex III – paragraph 1 – point 6 – introductory part6. Law enforcement:6. Law enforcement:6. Law enforcement:None
Annex III – paragraph 1 – point 6 – point a(a) AI systems intended to be used by law enforcement authorities for making individual risk assessments of natural persons in order to assess the risk of a natural person for offending or reoffending or the risk for potential victims of criminal offences;deleted(a) AI systems intended to be used by law enforcement authorities or on their behalf to assess the risk of a natural person for offending or reoffending or the risk for a natural person to become a potential victim of criminal offences;(a) AI systems intended to be used by or on behalf of law enforcement authorities to assess the risk of a natural person for offending or reoffending or the risk for a natural person to potentially become a victim of criminal offences;
Annex III – paragraph 1 – point 6 – point b(b) AI systems intended to be used by law enforcement authorities as polygraphs and similar tools or to detect the emotional state of a natural person;(b) AI systems intended to be used by or on behalf of law enforcement authorities, or by Union agencies, offices or bodies in support of law enforcement authorities as polygraphs and similar tools, insofar as their use is permitted under relevant Union and national law;(b) AI systems intended to be used by law enforcement authorities or on their behalf as polygraphs and similar tools or to detect the emotional state of a natural person;(b) AI systems intended to be used by or on behalf of law enforcement authorities, or by Union agencies, offices or bodies in support of law enforcement authorities as polygraphs and similar tools, or to detect the emotional state of a natural person, insofar as their use is permitted under relevant Union and national law;
Annex III – paragraph 1 – point 6 – point c(c) AI systems intended to be used by law enforcement authorities to detect deep fakes as referred to in article 52(3);deleteddeletedNone
Annex III – paragraph 1 – point 6 – point d(d) AI systems intended to be used by law enforcement authorities for evaluation of the reliability of evidence in the course of investigation or prosecution of criminal offences;(d) AI systems intended to be used by or on behalf of law enforcement authorities, or by Union agencies, offices or bodies in support of law enforcement authorities to evaluate the reliability of evidence in the course of investigation or prosecution of criminal offences;(d) AI systems intended to be used by law enforcement authorities or on their behalf to evaluate the reliability of evidence in the course of investigation or prosecution of criminal offences;(d) AI systems intended to be used by or on behalf of law enforcement authorities, or by Union agencies, offices or bodies in support of law enforcement authorities, to evaluate the reliability of evidence in the course of investigation or prosecution of criminal offences;
Annex III – paragraph 1 – point 6 – point e(e) AI systems intended to be used by law enforcement authorities for predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 or assessing personality traits and characteristics or past criminal behaviour of natural persons or groups;deleted(e) AI systems intended to be used by law enforcement authorities or on their behalf to predict the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 or to assess personality traits and characteristics or past criminal behaviour of natural persons or groups;(e) AI systems intended to be used by or on behalf of law enforcement authorities for predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 or assessing personality traits and characteristics or past criminal behaviour of natural persons or groups;
Annex III – paragraph 1 – point 6 – point f(f) AI systems intended to be used by law enforcement authorities for profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 in the course of detection, investigation or prosecution of criminal offences;(f) AI systems intended to be used by or on behalf of law enforcement authorities or by Union agencies, offices or bodies in support of law enforcement authorities for profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 in the course of detection, investigation or prosecution of criminal offences or, in the case of Union agencies, offices or bodies, as referred to in Article 3(5) of Regulation (EU) 2018/1725;(f) AI systems intended to be used by law enforcement authorities or on their behalf to profile natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 in the course of detection, investigation or prosecution of criminal offences.(f) AI systems intended to be used by law enforcement authorities, or on their behalf, or by Union agencies, offices or bodies in support of law enforcement authorities for profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 in the course of detection, investigation or prosecution of criminal offences or, in the case of Union agencies, offices or bodies, as referred to in Article 3(5) of Regulation (EU) 2018/1725.
Annex III – paragraph 1 – point 6 – point g(g) AI systems intended to be used for crime analytics regarding natural persons, allowing law enforcement authorities to search complex related and unrelated large data sets available in different data sources or in different data formats in order to identify unknown patterns or discover hidden relationships in the data.(g) AI systems intended to be used by or on behalf of law enforcement authorities or by Union agencies, offices or bodies in support of law enforcement authorities for crime analytics regarding natural persons, allowing law enforcement authorities to search complex related and unrelated large data sets available in different data sources or in different data formats in order to identify unknown patterns or discover hidden relationships in the data.deleted(g) AI systems intended to be used by or on behalf of law enforcement authorities or by Union agencies, offices or bodies in support of law enforcement authorities for crime analytics regarding natural persons, allowing law enforcement authorities to search complex related and unrelated large data sets available in different data sources or in different data formats in order to identify unknown patterns or discover hidden relationships in the data.
Annex III – paragraph 1 – point 7 – introductory part7.Migration, asylum and border control management:7.Migration, asylum and border control management:7.Migration, asylum and border control management:None
Annex III – paragraph 1 – point 7 – point a(a) AI systems intended to be used by competent public authorities as polygraphs and similar tools or to detect the emotional state of a natural person;(a) AI systems intended to be used by or on behalf of competent public authorities or by Union agencies, offices or bodies as polygraphs and similar tools insofar as their use is permitted under relevant Union or national law(a) AI systems intended to be used by competent public authorities or on their behalf as polygraphs and similar tools or to detect the emotional state of a natural person;(a) AI systems intended to be used by competent public authorities, or on their behalf, or by Union agencies, offices or bodies as polygraphs and similar tools, or to detect the emotional state of a natural person, insofar as their use is permitted under relevant Union or national law.
Annex III – paragraph 1 – point 7 – point (b) AI systems intended to be used by competent public authorities to assess a risk, including a security risk, a risk of irregular immigration, or a health risk, posed by a natural person who intends to enter or has entered into the territory of a Member State;(b) AI systems intended to be used by or on behalf of competent public authorities or by Union agencies, offices or bodies to assess a risk, including a security risk, a risk of irregular immigration, or a health risk, posed by a natural person who intends to enter or has entered into the territory of a Member State;(b) AI systems intended to be used by competent public authorities or on their behalf to assess a risk, including a security risk, a risk of irregular migration, or a health risk, posed by a natural person who intends to enter or has entered into the territory of a Member State;(b) AI systems intended to be used by competent public authorities, or on their behalf, or by Union agencies, offices or bodies to assess a risk, including a security risk, a risk of irregular immigration or migration, or a health risk, posed by a natural person who intends to enter or has entered into the territory of a Member State;
Annex III – paragraph 1 – point 7 – point c(c) AI systems intended to be used by competent public authorities for the verification of the authenticity of travel documents and supporting documentation of natural persons and detect non-authentic documents by checking their security features;(c) AI systems intended to be used by or on behalf of competent public authorities or by Union agencies, offices or bodies for the verification of the authenticity of travel documents and supporting documentation of natural persons and detect non-authentic documents by checking their security features;deleted(c) AI systems intended to be used by or on behalf of competent public authorities for the verification of the authenticity of travel documents and supporting documentation of natural persons and detect non-authentic documents by checking their security features;
Annex III – paragraph 1 – point 7 – point d(d) AI systems intended to assist competent public authorities for the examination of applications for asylum, visa and residence permits and associated complaints with regard to the eligibility of the natural persons applying for a status.(d) AI systems intended to be used by or on behalf of competent public authorities or by Union agencies, offices or bodies to assist competent public authorities for the examination and assessment of the veracity of evidence in relation to applications for asylum, visa and residence permits and associated complaints with regard to the eligibility of the natural persons applying for a status;(d) AI systems intended to be used by competent public authorities or on their behalf to examine applications for asylum, visa and residence permits and associated complaints with regard to the eligibility of the natural persons applying for a status.(d) AI systems intended to be used by or on behalf of competent public authorities, or by Union agencies, offices or bodies, to assist in the examination and assessment of applications for asylum, visa and residence permits and associated complaints with regard to the eligibility of the natural persons applying for a status.
Annex III – paragraph 1 – point 7 – point da (new)(da) AI systems intended to be used by or on behalf of competent public authorities or by Union agencies, offices or bodies in migration, asylum and border control management to monitor, surveil or process data in the context of border management activities, for the purpose of detecting, recognising or identifying natural persons;AI systems that are designed to be utilized by competent public authorities, Union agencies, offices or bodies in the management of migration, asylum and border control, with the specific purpose of monitoring, surveillance or data processing in the context of border management activities, aimed at detecting, recognising or identifying natural persons.
Annex III – paragraph 1 – point 7 – point db (new)(db) AI systems intended to be used by or on behalf of competent public authorities or by Union agencies, offices or bodies in migration, asylum and border control management for the forecasting or prediction of trends related to migration movement and border crossing;AI systems are proposed to be utilized by competent public authorities, Union agencies, offices or bodies for the management of migration, asylum, and border control. These systems would be used specifically for the forecasting or prediction of trends related to migration movement and border crossing.
Annex III – paragraph 1 – point 8 – introductory part8. Administration of justice and democratic processes:8. Administration of justice and democratic processes:8. Administration of justice and democratic processes:None
Annex III – paragraph 1 – point 8 – point a(a) AI systems intended to assist a judicial authority in researching and interpreting facts and the law and in applying the law to a concrete set of facts.(a) AI systems intended to be used by a judicial authority ot administrative body or on their behalf to assist a judicial authority or administrative body in researching and interpreting facts and the law and in applying the law to a concrete set of facts or used in a similar way in alternative dispute resolution(a) AI systems intended to be used by a judicial authority or on their behalf to interpret facts or the law and to apply the law to a concrete set of facts.(a) AI systems intended to be used by a judicial authority, administrative body, or on their behalf, to assist in researching, interpreting facts and the law, and in applying the law to a concrete set of facts, or used in a similar way in alternative dispute resolution.
Annex III – paragraph 1 – point 8 – point aa (new)(aa) AI systems intended to be used for influencing the outcome of an election or referendum or the voting behaviour of natural persons in the exercise of their vote in elections or referenda. This does not include AI systems whose output natural persons are not directly exposed to, such as tools used to organise, optimise and structure political campaigns from an administrative and logistic point of view.AI systems intended to be used for influencing the outcome of an election or referendum or the voting behaviour of natural persons in the exercise of their vote in elections or referenda are under consideration. This does not include AI systems whose output natural persons are not directly exposed to, such as tools used to organise, optimise and structure political campaigns from an administrative and logistic point of view.
Annex III – paragraph 1 – point 8 – point ab (new)(ab) AI systems intended to be used by social media platforms that have been designated as very large online platforms within the meaning of Article 33 of Regulation EU 2022/2065, in their recommender systems to recommend to the recipient of the service user-generated content available on the platform.AI systems are proposed to be utilized by social media platforms, specifically those that have been designated as very large online platforms as per Article 33 of Regulation EU 2022/2065. These systems will be used in their recommender systems to suggest user-generated content available on the platform to the service recipient.
Annex IV
NumberingCommissionParliamentCouncilText proposed by the AI
ANNEX IV ANNEX IV
TECHNICAL DOCUMENTATION referred to in Article 11(1)		ANNEX IV
TECHNICAL DOCUMENTATION referred to in Article 11(1)		ANNEX IV
TECHNICAL DOCUMENTATION referred to in Article 11(1)		ANNEX IV
TECHNICAL DOCUMENTATION referred to in Article 11(1)
Annex IV – paragraph 1The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system:The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system:The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system:The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system:
Annex IV – paragraph 1 – point 1 – introductory part1. A general description of the AI system including:1. A general description of the AI system including:1. A general description of the AI system including:None
Annex IV – paragraph 1 – point 1 – point a(a) its intended purpose, the person/s developing the system the date and the version of the system;(a) its intended purpose, the name of the provider and the version of the system reflecting its relation to previous and, where applicable, more recent, versions in the succession of revisions;(a) its intended purpose, the person/s developing the system the date and the version of the system;(a) its intended purpose, the person/s or name of the provider developing the system, the date and the version of the system reflecting its relation to previous and, where applicable, more recent, versions in the succession of revisions;
Annex IV – paragraph 1 – point 1 – point aa (new)(aa) the nature of data likely or intended to be processed by the system and, in the case of personal data, the categories of natural persons and groups likely or intended to be affected;The system is expected to process certain types of data, and in instances where personal data is involved, it should be clearly defined which categories of natural persons and groups are likely or intended to be affected.
Annex IV – paragraph 1 – point 1 – point b(b) how the AI system interacts or can be used to interact with hardware or software that is not part of the AI system itself, where applicable;(b) how the AI system can interact or can be used to interact with hardware or software, including other AI systems, that are not part of the AI system itself, where applicable;(b) how the AI system interacts or can be used to interact with hardware or software that is not part of the AI system itself, where applicable;(b) how the AI system interacts or can be used to interact with hardware or software, including other AI systems, that are not part of the AI system itself, where applicable;
Annex IV – paragraph 1 – point 1 – point c(c) the versions of relevant software or firmware and any requirement related to version update;(c) the versions of relevant software or firmware and, where applicable, information for the deployer on any requirement related to version update;(c) the versions of relevant software or firmware and any requirement related to version update;(c) the versions of relevant software or firmware and, where applicable, any requirement related to version update;
Annex IV – paragraph 1 – point 1 – point d(d) the description of all forms in which the AI system is placed on the market or put into service;(d) the description of the various configurations and variants of the AI system which are intended to be placed on the market or put into service;(d) the description of all forms in which the AI system is placed on the market or put into service (e.g. software package embedded into hardware, downloadable, API etc.);(d) the description of all forms, configurations, and variants of the AI system which are intended to be placed on the market or put into service, including but not limited to software packages embedded into hardware, downloadable versions, APIs, etc.
Annex IV – paragraph 1 – point 1 – point e(e) the description of hardware on which the AI system is intended to run;
(e) the description of hardware on which the AI system is intended to run;
(e) the description of hardware on which the AI system is intended to run;(e) the description of hardware on which the AI system is intended to run;
Annex IV – paragraph 1 – point 1 – point f(f) where the AI system is a component of products, photographs or illustrations showing external features, marking and internal layout of those products;(f) where the AI system is a component of products, photographs or illustrations showing external features, marking and internal layout of those products;(f) where the AI system is a component of products, photographs or illustrations showing external features, marking and internal layout of those products;(f) where the AI system is a component of products, photographs or illustrations showing external features, marking and internal layout of those products;
Annex IV – paragraph 1 – point 1 – point fa (new)(fa) the description of the deployer interface;The description of the deployer interface.
Annex IV – paragraph 1 – point 1 – point g(g) instructions of use for the user and, where applicable installation instructions;(g) instructions of use for the deployer in accordance with Article 13(2) and (3) as well as 14(4)(e) and, where applicable installation instructions;(g) instructions of use for the user and, where applicable installation instructions;(g) instructions of use for the user/deployer in accordance with Article 13(2) and (3) as well as 14(4)(e) and, where applicable, installation instructions;
Annex IV – paragraph 1 – point 1 – point ga (new)(ga) a detailed and easily intellegible description of the system’s main optimisation goal or goals;A comprehensive and easily understandable explanation of the primary objective or objectives of the system’s optimization.
Annex IV – paragraph 1 – point 1 – point gb (new)(gb) a detailed and easily intellegible description of the system’s expected output and expected output quality;A comprehensive and easily understandable description of the system’s anticipated output and the expected quality of the output.
Annex IV – paragraph 1 – point 1 – point gc (new)(gc) detailed and easily intellegible instructions for interpreting the system’s output;Provide detailed and easily understandable instructions for interpreting the system’s output.
Annex IV – paragraph 1 – point 1 – point gd (new)(gd) examples of scenarios for which the system should not be used;None
Annex IV – paragraph 1 – point 2 – introductory part2.A detailed description of the elements of the AI system and of the process for its development, including:2.A detailed description of the elements of the AI system and of the process for its development, including:2. A detailed description of the elements of the AI system and of the process for its development, including:None
Annex IV – paragraph 1 – point 2 – point a(a) the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how these have been used, integrated or modified by the provider;
(a) the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how these have been used, integrated or modified by the provider;
(a) the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how these have been used, integrated or modified by the provider;(a) the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how these have been used, integrated or modified by the provider;
Annex IV – paragraph 1 – point 2 – point b(b) the design specifications of the system, namely the general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made, also with regard to persons or groups of persons on which the system is intended to be used; the main classification choices; what the system is designed to optimise for and the relevance of the different parameters; the decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Title III, Chapter 2;(b) a description of the architecture, design specifications, algorithms and the data structures including a decomposition of its components and interfaces, how they relate to one another and how they provide for the overall processing or logic of the AI system; the key design choices including the rationale and assumptions made, also with regard to persons or groups of persons on which the system is intended to be used; the main classification choices; what the system is designed to optimise for and the relevance of the different parameters; the decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Title III, Chapter 2;(b) the design specifications of the system, namely the general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made, also with regard to persons or groups of persons on which the system is intended to be used; the main classification choices; what the system is designed to optimise for and the relevance of the different parameters; the description of the expected output of the system; the decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Title III, Chapter 2;(b) the design specifications of the system, namely the general logic of the AI system and of the algorithms; a description of the architecture, algorithms and the data structures including a decomposition of its components and interfaces, how they relate to one another and how they provide for the overall processing or logic of the AI system; the key design choices including the rationale and assumptions made, also with regard to persons or groups of persons on which the system is intended to be used; the main classification choices; what the system is designed to optimise for and the relevance of the different parameters; the description of the expected output of the system; the decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Title III, Chapter 2;
Annex IV – paragraph 1 – point 2 – point c(c) the description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; the computational resources used to develop, train, test and validate the AI system;(c) deleted(c) the description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; the computational resources used to develop, train, test and validate the AI system;(c) the description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; the computational resources used to develop, train, test and validate the AI system;
Annex IV – paragraph 1 – point 2 – point d(d) where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used, including information about the provenance of those data sets, their scope and main characteristics; how the data was obtained and selected; labelling procedures (e.g. for supervised learning), data cleaning methodologies (e.g. outliers detection);(d) where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used, including information about the provenance of those data sets, their scope and main characteristics; how the data was obtained and selected; labelling procedures (e.g. for supervised learning), data cleaning methodologies (e.g. outliers detection);(d) where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used, including a general description of these data sets, information about their provenance, scope and main characteristics; how the data was obtained and selected; labelling procedures (e.g. for supervised learning), data cleaning methodologies (e.g. outliers detection);(d) where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used, including a general description of these data sets, information about the provenance of those data sets, their scope and main characteristics; how the data was obtained and selected; labelling procedures (e.g. for supervised learning), data cleaning methodologies (e.g. outliers detection);
Annex IV – paragraph 1 – point 2 – point e(e) assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the users, in accordance with Articles 13(3)(d);(e) assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the deployers, in accordance with Articles 13(3)(d);(e) assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the users, in accordance with Articles 13(3)(d);(e) assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the users and deployers, in accordance with Articles 13(3)(d);
Annex IV – paragraph 1 – point 2 – point f(f) where applicable, a detailed description of pre-determined changes to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system with the relevant requirements set out in Title III, Chapter 2;(f) where applicable, a detailed description of pre-determined changes to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system with the relevant requirements set out in Title III, Chapter 2;(f) where applicable, a detailed description of pre-determined changes to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system with the relevant requirements set out in Title III, Chapter 2;(f) where applicable, a detailed description of pre-determined changes to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system with the relevant requirements set out in Title III, Chapter 2;
Annex IV – paragraph 1 – point 2 – point g(g) the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness, cybersecurity and compliance with other relevant requirements set out in Title III, Chapter 2 as well as potentially discriminatory impacts; test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to under point (f).(g) the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness and compliance with other relevant requirements set out in Title III, Chapter 2 as well as potentially discriminatory impacts; test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to under point (f).(g) the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness, cybersecurity and compliance with other relevant requirements set out in Title III, Chapter 2 as well as potentially discriminatory impacts; test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to under point (f).(g) the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness, cybersecurity (where applicable) and compliance with other relevant requirements set out in Title III, Chapter 2 as well as potentially discriminatory impacts; test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to under point (f).
Annex IV – paragraph 1 – point 2 – point ga (new)(ga) cybersecurity measures put in place.Implement cybersecurity measures.
Annex IV – paragraph 1 – point 33. Detailed information about the monitoring, functioning and control of the AI system, in particular with regard to: its capabilities and limitations in performance, including the degrees of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose; the foreseeable unintended outcomes and sources of risks to health and safety, fundamental rights and discrimination in view of the intended purpose of the AI system; the human oversight measures needed in accordance with Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users; specifications on input data, as appropriate;3. Detailed information about the monitoring, functioning and control of the AI system, in particular with regard to: its capabilities and limitations in performance, including the degrees of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose; the foreseeable unintended outcomes and sources of risks to health and safety, fundamental rights and discrimination in view of the intended purpose of the AI system; the human oversight measures needed in accordance with Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the deployers; specifications on input data, as appropriate;3. Detailed information about the monitoring, functioning and control of the AI system, in particular with regard to: its capabilities and limitations in performance, including the degrees of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose; the foreseeable unintended outcomes and sources of risks to health and safety, fundamental rights and discrimination in view of the intended purpose of the AI system; the human oversight measures needed in accordance with Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users; specifications on input data, as appropriate;3. Detailed information about the monitoring, functioning and control of the AI system, in particular with regard to: its capabilities and limitations in performance, including the degrees of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose; the foreseeable unintended outcomes and sources of risks to health and safety, fundamental rights and discrimination in view of the intended purpose of the AI system; the human oversight measures needed in accordance with Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the users and deployers; specifications on input data, as appropriate.
Annex IV – paragraph 1 – point 3a (new)3a. A description of the appropriateness of the performance metrics for the specific AI system;A comprehensive evaluation of the suitability of the performance metrics for the specific AI system.
Annex IV – paragraph 1 – point 3b (new)3b. Information about the energy consumption of the AI system during the development phase and the expected energy consumption during use, taking into account, where applicable, relevant Union and national law;Information regarding the energy consumption of the AI system during its development phase and the anticipated energy consumption during its use, in compliance with relevant Union and national law where applicable.
Annex IV – paragraph 1 – point 44. A detailed description of the risk management system in accordance with Article 9;4. A detailed description of the risk management system in accordance with Article 9;4. A detailed description of the risk management system in accordance with Article 9;4. A detailed description of the risk management system in accordance with Article 9;
Annex IV – paragraph 1 – point 55. A description of any change made to the system through its lifecycle;5. A description of any relevant change made by providers to the system through its lifecycle ;5. A description of relevant changes made by the provider to the system through its lifecycle;5. A description of any relevant changes made to the system by the provider through its lifecycle;
Annex IV – paragraph 1 – point 66. A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Title III, Chapter 2, including a list of other relevant standards and technical specifications applied;6. A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Title III, Chapter 2, including a list of other relevant standards or common specifications applied;6. A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Title III, Chapter 2, including a list of other relevant standards and technical specifications applied;6. A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Title III, Chapter 2, including a list of other relevant standards, technical specifications or common specifications applied;
Annex IV – paragraph 1 – point 77. A copy of the EU declaration of conformity;7. A copy of the EU declaration of conformity;7. A copy of the EU declaration of conformity; 7. A copy of the EU declaration of conformity;
Annex IV – paragraph 1 – point 88. A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 61, including the post-market monitoring plan referred to in Article 61(3).8. A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 61, including the post-market monitoring plan referred to in Article 61(3).8. A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 61, including the post-market monitoring plan referred to in Article 61(3).8. A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 61, including the post-market monitoring plan referred to in Article 61(3).
Annex V
NumberingCommissionParliamentCouncilText proposed by the AI
Annex V ANNEX V
EU DECLARATION OF CONFORMITY		ANNEX V
EU DECLARATION OF CONFORMITY		EU DECLARATION OF CONFORMITYANNEX V
EU DECLARATION OF CONFORMITY
Annex V – paragraph 1The EU declaration of conformity referred to in Article 48, shall contain all of the following information:The EU declaration of conformity referred to in Article 48, shall contain all of the following information:The EU declaration of conformity referred to in Article 48, shall contain all of the following information:The EU declaration of conformity referred to in Article 48, shall contain all of the following information:
Annex V – paragraph 1 – point 11. AI system name and type and any additional unambiguous reference allowing identification and traceability of the AI system;1. AI system name and type and any additional unambiguous reference allowing identification and traceability of the AI system;1. AI system name and type and any additional unambiguous reference allowing
identification and traceability of the AI system;
1. AI system name and type and any additional unambiguous reference allowing identification and traceability of the AI system;
Annex V – paragraph 1 – point 22. Name and address of the provider or, where applicable, their authorised representative;2. Name and address of the provider or, where applicable, their authorised representative;2. Name and address of the provider or, where applicable, their authorised representative;
2. Name and address of the provider or, where applicable, their authorised representative;
Annex V – paragraph 1 – point 33. A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;3. A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;3. A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;
3. A statement that the EU declaration of conformity is issued under the sole responsibility of the provider;
Annex V – paragraph 1 – point 4 4. A statement that the AI system in question is in conformity with this Regulation and, if applicable, with any other relevant Union legislation that provides for the issuing of an EU declaration of conformity;4. A statement that the AI system in question is in conformity with this Regulation and, if applicable, with any other relevant Union legislation that provides for the issuing of an EU declaration of conformity;4. A statement that the AI system in question is in conformity with this Regulation and, if applicable, with any other relevant Union legislation that provides for the issuing of an EU declaration of conformity;4. A statement that the AI system in question is in conformity with this Regulation and, if applicable, with any other relevant Union legislation that provides for the issuing of an EU declaration of conformity;
Annex V – paragraph 1 – point 4a (new)4a. Where an AI system involves the processing of personal data, a statement that that AI system complies with Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680.In the event that an AI system involves the processing of personal data, it must be explicitly stated that the AI system is in compliance with Regulations (EU) 2016/679 and (EU) 2018/1725, as well as Directive (EU) 2016/680.
Annex V – paragraph 1 – point 55. References to any relevant harmonised standards used or any other common specification in relation to which conformity is declared;5. References to any relevant harmonised standards used or any other common specification in relation to which conformity is declared;5. References to any relevant harmonised standards used or any other common specification in relation to which conformity is declared;
5. References to any relevant harmonised standards used or any other common specification in relation to which conformity is declared;
Annex V – paragraph 1 – point 66. Where applicable, the name and identification number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;6. Where applicable, the name and identification number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;6. Where applicable, the name and identification number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;6. Where applicable, the name and identification number of the notified body, a description of the conformity assessment procedure performed and identification of the certificate issued;
Annex V – paragraph 1 – point 77. Place and date of issue of the declaration, name and function of the person who signed it as well as an indication for, and on behalf of whom, that person signed, signature.7. Place and date of issue of the declaration, signature, name and function of the person who signed it as well as an indication for, and on behalf of whom, that person signed, signature.7. Place and date of issue of the declaration, name and function of the person who signed it as well as an indication for, and on behalf of whom, that person signed, signature.7. Place and date of issue of the declaration, name and function of the person who signed it as well as an indication for, and on behalf of whom, that person signed, signature.
Annex VI
NumberingCommissionParliamentCouncilText proposed by the AI
ANNEX VIANNEX VI
CONFORMITY ASSESSMENT PROCEDURE BASED ON INTERNAL CONTROL		ANNEX VI
CONFORMITY ASSESSMENT PROCEDURE BASED ON INTERNAL CONTROL		ANNEX VI
CONFORMITY ASSESSMENT PROCEDURE BASED ON INTERNAL CONTROL		ANNEX VI
CONFORMITY ASSESSMENT PROCEDURE BASED ON INTERNAL CONTROL
Annex VI – point 11.The conformity assessment procedure based on internal control is the conformity assessment procedure based on points 2 to 4.1.The conformity assessment procedure based on internal control is the conformity assessment procedure based on points 2 to 4.1. The conformity assessment procedure based on internal control is the conformity
assessment procedure based on points 2 to 4.
1. The conformity assessment procedure based on internal control is the conformity assessment procedure based on points 2 to 4.
Annex VI – point 22.The provider verifies that the established quality management system is in compliance with the requirements of Article 17.2.The provider verifies that the established quality management system is in compliance with the requirements of Article 17.2. The provider verifies that the established quality management system is in compliance with the requirements of Article 17. 2. The provider verifies that the established quality management system is in compliance with the requirements of Article 17.
Annex VI – point 33.The provider examines the information contained in the technical documentation in order to assess the compliance of the AI system with the relevant essential requirements set out in Title III, Chapter 2.3.The provider examines the information contained in the technical documentation in order to assess the compliance of the AI system with the relevant essential requirements set out in Title III, Chapter 2.3. The provider examines the information contained in the technical documentation in order to assess the compliance of the AI system with the relevant essential requirements set out in Title III, Chapter 2. 3. The provider examines the information contained in the technical documentation in order to assess the compliance of the AI system with the relevant essential requirements set out in Title III, Chapter 2.
Annex VI – point 44.The provider also verifies that the design and development process of the AI system and its post-market monitoring as referred to in Article 61 is consistent with the technical documentation.4.The provider also verifies that the design and development process of the AI system and its post-market monitoring as referred to in Article 61 is consistent with the technical documentation.4. The provider also verifies that the design and development process of the AI system and its post-market monitoring as referred to in Article 61 is consistent with the technical documentation.4. The provider also verifies that the design and development process of the AI system and its post-market monitoring as referred to in Article 61 is consistent with the technical documentation.
Annex VII
NumberingCommissionParliamentCouncilText proposed by the AI
Annex VII – titleANNEX VII
CONFORMITY BASED ON ASSESSMENT OF QUALITY MANAGEMENT SYSTEM AND ASSESSMENT OF TECHNICAL DOCUMENTATION		ANNEX VII
CONFORMITY BASED ON ASSESSMENT OF QUALITY MANAGEMENT SYSTEM AND ASSESSMENT OF TECHNICAL DOCUMENTATION		ANNEX VII
CONFORMITY BASED ON ASSESSMENT OF QUALITY MANAGEMENT SYSTEM AND ASSESSMENT OF TECHNICAL DOCUMENTATION		ANNEX VII
CONFORMITY BASED ON ASSESSMENT OF QUALITY MANAGEMENT SYSTEM AND ASSESSMENT OF TECHNICAL DOCUMENTATION
Annex VII – point 11. Introduction

Conformity based on assessment of quality management system and assessment of the technical documentation is the conformity assessment procedure based on points 2 to 5.		1. Introduction

Conformity based on assessment of quality management system and assessment of the technical documentation is the conformity assessment procedure based on points 2 to 5.		1. Introduction
Conformity based on assessment of quality management system and assessment of the technical documentation is the conformity assessment procedure based on points 2 to 5.		1. Introduction

Conformity based on assessment of quality management system and assessment of the technical documentation is the conformity assessment procedure based on points 2 to 5.
Annex VII – point 22.Overview

The approved quality management system for the design, development and testing of AI systems pursuant to Article 17 shall be examined in accordance with point 3 and shall be subject to surveillance as specified in point 5. The technical documentation of the AI system shall be examined in accordance with point 4.		2.Overview

The approved quality management system for the design, development and testing of AI systems pursuant to Article 17 shall be examined in accordance with point 3 and shall be subject to surveillance as specified in point 5. The technical documentation of the AI system shall be examined in accordance with point 4.		2. Overview

The approved quality management system for the design, development and testing of AI systems pursuant to Article 17 shall be examined in accordance with point 3 and shall be subject to surveillance as specified in point 5. The technical documentation of the AI system shall be examined in accordance with point 4.		2. Overview

The approved quality management system for the design, development and testing of AI systems pursuant to Article 17 shall be examined in accordance with point 3 and shall be subject to surveillance as specified in point 5. The technical documentation of the AI system shall be examined in accordance with point 4.
Annex VII – point 33.Quality management system3.Quality management system3.Quality management system3.Quality management system
Annex VII – point 3 – point 3.13.1.The application of the provider shall include:
(a) the name and address of the provider and, if the application is lodged by the authorised representative, their name and address as well;
(b) the list of AI systems covered under the same quality management system;
(c) the technical documentation for each AI system covered under the same quality management system;
(d) the documentation concerning the quality management system which shall cover all the aspects listed under Article 17;
(e) a description of the procedures in place to ensure that the quality management system remains adequate and effective;
(f) a written declaration that the same application has not been lodged with any other notified body.		3.1.The application of the provider shall include:
(a) the name and address of the provider and, if the application is lodged by the authorised representative, their name and address as well;
(b) the list of AI systems covered under the same quality management system;
(c) the technical documentation for each AI system covered under the same quality management system;
(d) the documentation concerning the quality management system which shall cover all the aspects listed under Article 17;
(e) a description of the procedures in place to ensure that the quality management system remains adequate and effective;
(f) a written declaration that the same application has not been lodged with any other notified body.		3.1. The application of the provider shall include:
(a) the name and address of the provider and, if the application is lodged by the authorised representative, their name and address as well;
(b) the list of AI systems covered under the same quality management system;
(c) the technical documentation for each AI system covered under the same quality management system;
(d) the documentation concerning the quality management system which shall cover all the aspects listed under Article 17;
(e) a description of the procedures in place to ensure that the quality management system remains adequate and effective;
(f) a written declaration that the same application has not been lodged with any other notified body.		3.1. The application of the provider shall include:
(a) the name and address of the provider and, if the application is lodged by the authorised representative, their name and address as well;
(b) the list of AI systems covered under the same quality management system;
(c) the technical documentation for each AI system covered under the same quality management system;
(d) the documentation concerning the quality management system which shall cover all the aspects listed under Article 17;
(e) a description of the procedures in place to ensure that the quality management system remains adequate and effective;
(f) a written declaration that the same application has not been lodged with any other notified body.
Annex VII – point 3 – point 3.23.2.The quality management system shall be assessed by the notified body, which shall determine whether it satisfies the requirements referred to in Article 17.
The decision shall be notified to the provider or its authorised representative.
The notification shall contain the conclusions of the assessment of the quality management system and the reasoned assessment decision.		3.2.The quality management system shall be assessed by the notified body, which shall determine whether it satisfies the requirements referred to in Article 17.
The decision shall be notified to the provider or its authorised representative.
The notification shall contain the conclusions of the assessment of the quality management system and the reasoned assessment decision.		3.2. The quality management system shall be assessed by the notified body, which shall determine whether it satisfies the requirements referred to in Article 17.
The decision shall be notified to the provider or its authorised representative.
The notification shall contain the conclusions of the assessment of the quality management system and the reasoned assessment decision.		3.2. The quality management system shall be assessed by the notified body, which shall determine whether it satisfies the requirements referred to in Article 17. The decision shall be notified to the provider or its authorised representative. The notification shall contain the conclusions of the assessment of the quality management system and the reasoned assessment decision.
Annex VII – point 3 – point 3.33.3.The quality management system as approved shall continue to be implemented and maintained by the provider so that it remains adequate and efficient.3.3.The quality management system as approved shall continue to be implemented and maintained by the provider so that it remains adequate and efficient.3.3. The quality management system as approved shall continue to be implemented and maintained by the provider so that it remains adequate and efficient.3.3. The quality management system as approved shall continue to be implemented and maintained by the provider so that it remains adequate and efficient.
Annex VII – point 3 – point 3.43.4.Any intended change to the approved quality management system or the list of AI systems covered by the latter shall be brought to the attention of the notified body by the provider.
The proposed changes shall be examined by the notified body, which shall decide whether the modified quality management system continues to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.
The notified body shall notify the provider of its decision. The notification shall contain the conclusions of the examination of the changes and the reasoned assessment decision.		3.4.Any intended change to the approved quality management system or the list of AI systems covered by the latter shall be brought to the attention of the notified body by the provider.
The proposed changes shall be examined by the notified body, which shall decide whether the modified quality management system continues to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.
The notified body shall notify the provider of its decision. The notification shall contain the conclusions of the examination of the changes and the reasoned assessment decision.		3.4. Any intended change to the approved quality management system or the list of AI systems covered by the latter shall be brought to the attention of the notified body by the provider.
The proposed changes shall be examined by the notified body, which shall decide whether the modified quality management system continues to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary.
The notified body shall notify the provider of its decision. The notification shall contain the conclusions of the examination of the changes and the reasoned assessment decision.		3.4. Any intended change to the approved quality management system or the list of AI systems covered by the latter shall be brought to the attention of the notified body by the provider. The proposed changes shall be examined by the notified body, which shall decide whether the modified quality management system continues to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary. The notified body shall notify the provider of its decision. The notification shall contain the conclusions of the examination of the changes and the reasoned assessment decision.
Annex VII – point 44.Control of the technical documentation.4.Control of the technical documentation.4.Control of the technical documentation.4.Control of the technical documentation.
Annex VII – point 4 – point 4.14.1.In addition to the application referred to in point 3, an application with a notified body of their choice shall be lodged by the provider for the assessment of the technical documentation relating to the AI system which the provider intends to place on the market or put into service and which is covered by the quality management system referred to under point 3.4.1.In addition to the application referred to in point 3, an application with a notified body of their choice shall be lodged by the provider for the assessment of the technical documentation relating to the AI system which the provider intends to place on the market or put into service and which is covered by the quality management system referred to under point 3.4.1. In addition to the application referred to in point 3, an application with a notified body of their choice shall be lodged by the provider for the assessment of the technical documentation relating to the AI system which the provider intends to place on the market or put into service and which is covered by the quality management system referred to under point 3.4.1. In addition to the application referred to in point 3, an application with a notified body of their choice shall be lodged by the provider for the assessment of the technical documentation relating to the AI system which the provider intends to place on the market or put into service and which is covered by the quality management system referred to under point 3.
Annex VII – point 4 – point 4.24.2.The application shall include:
(a) the name and address of the provider;
(b) a written declaration that the same application has not been lodged with any other notified body;
(c) the technical documentation referred to in Annex IV.		4.2.The application shall include:
(a) the name and address of the provider;
(b) a written declaration that the same application has not been lodged with any other notified body;
(c) the technical documentation referred to in Annex IV.		4.2. The application shall include:
(a) the name and address of the provider;
(b) a written declaration that the same application has not been lodged with any other notified body;
(c) the technical documentation referred to in Annex IV.		4.2. The application shall include:
(a) the name and address of the provider;
(b) a written declaration that the same application has not been lodged with any other notified body;
(c) the technical documentation referred to in Annex IV.
Annex VII – point 4 – point 4.34.3 The technical documentation shall be examined by the notified body. To this purpose, the notified body shall be granted full access to the training and testing datasets used by the provider, including through application programming interfaces (API) or other appropriate means and tools enabling remote access.4.3 The technical documentation shall be examined by the notified body. To this purpose, the notified body shall be granted full access to the training and testing datasets used by the provider, including through application programming interfaces (API) or other appropriate means and tools enabling remote access.4.3 The technical documentation shall be examined by the notified body. Where relevant and limited to what is necessary to fulfil their tasks, the notified body shall be granted full access to the training, validation, and testing datasets used, including, where appropriate and subject to security safeguards, through application programming interfaces (API) or other relevant technical means and tools enabling remote access.4.3 The technical documentation shall be examined by the notified body. To this purpose, the notified body shall be granted full access to the training, validation, and testing datasets used by the provider, where relevant and limited to what is necessary to fulfil their tasks. This access should be granted, subject to security safeguards, through application programming interfaces (API) or other appropriate means and tools enabling remote access.
Annex VII – point 4 – point 4.44.4 In examining the technical documentation, the notified body may require that the provider supplies further evidence or carries out further tests so as to enable a proper assessment of conformity of the AI system with the requirements set out in Title III, Chapter 2. Whenever the notified body is not satisfied with the tests carried out by the provider, the notified body shall directly carry out adequate tests, as appropriate.4.4 In examining the technical documentation, the notified body may require that the provider supplies further evidence or carries out further tests so as to enable a proper assessment of conformity of the AI system with the requirements set out in Title III, Chapter 2. Whenever the notified body is not satisfied with the tests carried out by the provider, the notified body shall directly carry out adequate tests, as appropriate.4.4. In examining the technical documentation, the notified body may require that the provider supplies further evidence or carries out further tests so as to enable a proper assessment of conformity of the AI system with the requirements set out in Title III, Chapter 2. Whenever the notified body is not satisfied with the tests carried out by the provider, the notified body shall directly carry out adequate tests, as appropriate.4.4 In examining the technical documentation, the notified body may require that the provider supplies further evidence or carries out further tests so as to enable a proper assessment of conformity of the AI system with the requirements set out in Title III, Chapter 2. Whenever the notified body is not satisfied with the tests carried out by the provider, the notified body shall directly carry out adequate tests, as appropriate.
Annex VII – point 4 – point 4.54.5. Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2 and upon a reasoned request, the notified body shall also be granted access to the source code of the AI system.4.5 Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2, after all other reasonable ways to verify conformity have been exhausted and have proven to be insufficient, and upon a reasoned request, the notified body shall also be granted access to the training and trained models of the AI system, including its relevant parameters. Such access shall be subject to existing Union law on the protection of intellectual property and trade secrets. They shall take technical and organisational measures to ensure the protection of intellectual property and trade secrets.4.5. Notified bodies shall be granted access to the source code of the AI system upon a reasoned request and only when the following cumulative conditions are fulfilled:
a) Access to source code is necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2, and
b) testing/auditing procedures and verifications based on the data and documentation provided by the provider have been exhausted or proved insufficient.		4.5. Upon a reasoned request, the notified body shall be granted access to the source code, training, and trained models of the high-risk AI system, including its relevant parameters, only when the following cumulative conditions are fulfilled:
a) Access to these elements is necessary to assess the conformity of the AI system with the requirements set out in Title III, Chapter 2, and
b) All other reasonable ways to verify conformity, including testing/auditing procedures and verifications based on the data and documentation provided by the provider, have been exhausted and have proven to be insufficient.
Such access shall be subject to existing Union law on the protection of intellectual property and trade secrets. The notified body shall take technical and organisational measures to ensure the protection of intellectual property and trade secrets.
Annex VII – point 4 – point 4.64.6.The decision shall be notified to the provider or its authorised representative. The notification shall contain the conclusions of the assessment of the technical documentation and the reasoned assessment decision.

Where the AI system is in conformity with the requirements set out in Title III, Chapter 2, an EU technical documentation assessment certificate shall be issued by the notified body. The certificate shall indicate the name and address of the provider, the conclusions of the examination, the conditions (if any) for its validity and the data necessary for the identification of the AI system.

The certificate and its annexes shall contain all relevant information to allow the conformity of the AI system to be evaluated, and to allow for control of the AI system while in use, where applicable.

Where the AI system is not in conformity with the requirements set out in Title III, Chapter 2, the notified body shall refuse to issue an EU technical documentation assessment certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.

Where the AI system does not meet the requirement relating to the data used to train it, re-training of the AI system will be needed prior to the application for a new conformity assessment. In this case, the reasoned assessment decision of the notified body refusing to issue the EU technical documentation assessment certificate shall contain specific considerations on the quality data used to train the AI system, notably on the reasons for non-compliance.		4.6.The decision shall be notified to the provider or its authorised representative. The notification shall contain the conclusions of the assessment of the technical documentation and the reasoned assessment decision.

Where the AI system is in conformity with the requirements set out in Title III, Chapter 2, an EU technical documentation assessment certificate shall be issued by the notified body. The certificate shall indicate the name and address of the provider, the conclusions of the examination, the conditions (if any) for its validity and the data necessary for the identification of the AI system.

The certificate and its annexes shall contain all relevant information to allow the conformity of the AI system to be evaluated, and to allow for control of the AI system while in use, where applicable.

Where the AI system is not in conformity with the requirements set out in Title III, Chapter 2, the notified body shall refuse to issue an EU technical documentation assessment certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.

Where the AI system does not meet the requirement relating to the data used to train it, re-training of the AI system will be needed prior to the application for a new conformity assessment. In this case, the reasoned assessment decision of the notified body refusing to issue the EU technical documentation assessment certificate shall contain specific considerations on the quality data used to train the AI system, notably on the reasons for non-compliance.		4.6. The decision shall be notified to the provider or its authorised representative.

The notification shall contain the conclusions of the assessment of the technical documentation and the reasoned assessment decision.

Where the AI system is in conformity with the requirements set out in Title III, Chapter 2, an EU technical documentation assessment certificate shall be issued by the notified body. The certificate shall indicate the name and address of the provider, the conclusions of the examination, the conditions (if any) for its validity and the data necessary for the identification of the AI system.

The certificate and its annexes shall contain all relevant information to allow the conformity of the AI system to be evaluated, and to allow for control of the AI system while in use, where applicable.

Where the AI system is not in conformity with the requirements set out in Title III, Chapter 2, the notified body shall refuse to issue an EU technical documentation assessment certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal.

Where the AI system does not meet the requirement relating to the data used to train it, re- training of the AI system will be needed prior to the application for a new conformity assessment. In this case, the reasoned assessment decision of the notified body refusing to issue the EU technical documentation assessment certificate shall contain specific considerations on the quality data used to train the AI system, notably on the reasons for non-compliance.		4.6. The decision shall be communicated to the provider or its authorised representative. This notification shall include the conclusions of the technical documentation assessment and the reasoned assessment decision.

If the AI system complies with the requirements outlined in Title III, Chapter 2, the notified body shall issue an EU technical documentation assessment certificate. This certificate will list the provider’s name and address, the conclusions of the examination, any conditions for its validity, and the data necessary for the AI system’s identification.

The certificate and its annexes will contain all pertinent information to evaluate the AI system’s conformity and, where applicable, to monitor the AI system while in use.

If the AI system does not comply with the requirements in Title III, Chapter 2, the notified body will refuse to issue an EU technical documentation assessment certificate. The applicant will be informed of this decision, with a detailed explanation for the refusal.

If the AI system fails to meet the requirement concerning the data used for its training, the AI system will need to be re-trained before a new conformity assessment application can be made. In this scenario, the reasoned assessment decision from the notified body, which refuses to issue the EU technical documentation assessment certificate, will include specific considerations on the quality of data used to train the AI system, particularly the reasons for non-compliance.
Annex VII – point 4 – point 4.74.7. Any change to the AI system that could affect the compliance of the AI system with the requirements or its intended purpose shall be approved by the notified body which issued the EU technical documentation assessment certificate. The provider shall inform such notified body of its intention to introduce any of the above-mentioned changes or if it becomes otherwise aware of the occurrence of such changes. The intended changes shall be assessed by the notified body which shall decide whether those changes require a new conformity assessment in accordance with Article 43(4) or whether they could be addressed by means of a supplement to the EU technical documentation assessment certificate. In the latter case, the notified body shall assess the changes, notify the provider of its decision and, where the changes are approved, issue to the provider a supplement to the EU technical documentation assessment certificate.4.7. Any change to the AI system that could affect the compliance of the AI system with the requirements or its intended purpose shall be approved by the notified body which issued the EU technical documentation assessment certificate. The provider shall inform such notified body of its intention to introduce any of the above-mentioned changes or if it becomes otherwise aware of the occurrence of such changes. The intended changes shall be assessed by the notified body which shall decide whether those changes require a new conformity assessment in accordance with Article 43(4) or whether they could be addressed by means of a supplement to the EU technical documentation assessment certificate. In the latter case, the notified body shall assess the changes, notify the provider of its decision and, where the changes are approved, issue to the provider a supplement to the EU technical documentation assessment certificate.4.7. Any change to the AI system that could affect the compliance of the AI system with the requirements or its intended purpose shall be approved by the notified body which issued the EU technical documentation assessment certificate. The provider shall inform such notified body of its intention to introduce any of the above-mentioned changes or if it becomes otherwise aware of the occurrence of such changes. The intended changes shall be assessed by the notified body which shall decide whether those changes require a new conformity assessment in accordance with Article 43(4) or whether they could be addressed by means of a supplement to the EU technical documentation assessment certificate. In the latter case, the notified body shall assess the changes, notify the provider of its decision and, where the changes are approved, issue to the provider a supplement to the EU technical documentation assessment certificate.4.7. Any change to the AI system that could affect the compliance of the AI system with the requirements or its intended purpose shall be approved by the notified body which issued the EU technical documentation assessment certificate. The provider shall inform such notified body of its intention to introduce any of the above-mentioned changes or if it becomes otherwise aware of the occurrence of such changes. The intended changes shall be assessed by the notified body which shall decide whether those changes require a new conformity assessment in accordance with Article 43(4) or whether they could be addressed by means of a supplement to the EU technical documentation assessment certificate. In the latter case, the notified body shall assess the changes, notify the provider of its decision and, where the changes are approved, issue to the provider a supplement to the EU technical documentation assessment certificate.
Annex VII – point 55.Surveillance of the approved quality management system.5.Surveillance of the approved quality management system.5. Surveillance of the approved quality management system.5. Surveillance of the approved quality management system.
Annex VII – point 5 – point 5.15.1. The purpose of the surveillance carried out by the notified body referred to in Point 3 is to make sure that the provider duly fulfils the terms and conditions of the approved quality management system.5.1. The purpose of the surveillance carried out by the notified body referred to in Point 3 is to make sure that the provider duly fulfils the terms and conditions of the approved quality management system.5.1. The purpose of the surveillance carried out by the notified body referred to in Point 3 is to make sure that the provider duly fulfils the terms and conditions of the approved quality management system.5.1. The purpose of the surveillance carried out by the notified body referred to in Point 3 is to make sure that the provider duly fulfils the terms and conditions of the approved quality management system.
Annex VII – point 5 – point 5.25.2. For assessment purposes, the provider shall allow the notified body to access the premises where the design, development, testing of the AI systems is taking place. The provider shall further share with the notified body all necessary information.5.2. For assessment purposes, the provider shall allow the notified body to access the premises where the design, development, testing of the AI systems is taking place. The provider shall further share with the notified body all necessary information.5.2. For assessment purposes, the provider shall allow the notified body to access the premises where the design, development, testing of the AI systems is taking place. The provider shall further share with the notified body all necessary information.5.2. For assessment purposes, the provider shall allow the notified body to access the premises where the design, development, testing of the AI systems is taking place. The provider shall further share with the notified body all necessary information.
Annex VII – point 5 – point 5.35.3. The notified body shall carry out periodic audits to make sure that the provider maintains and applies the quality management system and shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which an EU technical documentation assessment certificate was issued.5.3. The notified body shall carry out periodic audits to make sure that the provider maintains and applies the quality management system and shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which an EU technical documentation assessment certificate was issued.5.3. The notified body shall carry out periodic audits to make sure that the provider maintains and applies the quality management system and shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which an EU technical documentation assessment certificate was issued.5.3. The notified body shall carry out periodic audits to make sure that the provider maintains and applies the quality management system and shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which an EU technical documentation assessment certificate was issued.
Annex VIII
NumberingCommissionParliamentCouncilText proposed by the AI
ANNEX VIIIANNEX VIII
INFORMATION TO BE SUBMITTED UPON THE REGISTRATION OF HIGH-RISK AI SYSTEMS IN ACCORDANCE WITH ARTICLE 51		ANNEX VIII
INFORMATION TO BE SUBMITTED UPON THE REGISTRATION OF HIGH-RISK AI SYSTEMS IN ACCORDANCE WITH ARTICLE 51		ANNEX VIII
INFORMATION TO BE SUBMITTED UPON THE REGISTRATION OF OPERATORS AND HIGH-RISK AI SYSTEMS IN ACCORDANCE WITH ARTICLE 51		ANNEX VIII
INFORMATION TO BE SUBMITTED UPON THE REGISTRATION OF OPERATORS AND HIGH-RISK AI SYSTEMS IN ACCORDANCE WITH ARTICLE 51
Annex VIII – paragraph 1The following information shall be provided and thereafter kept up to date with regard to high-risk AI systems to be registered in accordance with Article 51.Section A – The following information shall be provided and thereafter kept up to date with regard to high-risk AI systems to be registered in accordance with Article 51 (1).Providers, authorised representatives and users that are public authorities, agencies or bodies shall submit the information referred to in Part I. Providers or, when applicable, authorised representatives shall ensure that the information on their high-risk AI systems referred to in Part II, 1 to 11 is complete, correct and kept up-to-date. Information laid down in II.12 shall be automatically generated by the database.The following information shall be provided and thereafter kept up to date with regard to high-risk AI systems to be registered in accordance with Article 51 (1). Providers, authorised representatives, and users that are public authorities, agencies or bodies shall submit the information referred to in Part I. Providers or, when applicable, authorised representatives shall ensure that the information on their high-risk AI systems referred to in Part II, 1 to 11 is complete, correct and kept up-to-date. Information laid down in II.12 shall be automatically generated by the database.
Annex VIII – part I (new)Part I. Information related to operators (upon operators’registration)None
Annex VIII – part I – point -1 (new)–1. Type of operator (provider, authorised representative or user);1. Type of operator (provider, authorised representative or user);
Anex VIII – point 1 1.Name, address and contact details of the provider;1.Name, address and contact details of the provider;1. Name, address and contact details of the provider;1. Name, address and contact details of the provider;
Anex VIII – point 2 2.Where submission of information is carried out by another person on behalf of the provider, the name, address and contact details of that person;2.Where submission of information is carried out by another person on behalf of the provider, the name, address and contact details of that person;2. Where submission of information is carried out by another person on behalf of the operator, the name, address and contact details of that person;2. Where submission of information is carried out by another person on behalf of the provider/operator, the name, address and contact details of that person;
Annex VIII – part II (new)Part II. Information related to the high-risk AI systemNone
Annex VIII – part II – point 1 (new)1. Name, address and contact details of the providerNone
Anex VIII – point 3 3.Name, address and contact details of the authorised representative, where applicable;3.Name, address and contact details of the authorised representative, where applicable;2. Name, address and contact details of the authorised representative, where applicable;Name, address and contact details of the authorised representative, where applicable;
Anex VIII – point 44.AI system trade name and any additional unambiguous reference allowing identification and traceability of the AI system;4.AI system trade name and any additional unambiguous reference allowing identification and traceability of the AI system;3. AI system trade name and any additional unambiguous reference allowing identification and traceability of the AI system;3. AI system trade name and any additional unambiguous reference allowing identification and traceability of the AI system;
Annex VIII – point 4a (new)4a. Foundation model trade name and any additional unambiguous refernce allowing identification and traceabilityThe trade name of the foundation model and any additional unambiguous reference should be provided to ensure identification and traceability.
Annex VIII – point 55. Description of the intended purpose of the AI system5. A simple and comprehensible description of
a. the intended purpose of the AI system;
b. the components and functions supported through AI;
c. a basic explanation of the logic of the AI system		4. Description of the intended purpose of the AI system;5. Comprehensive Description of the AI System:
a. Clear articulation of the intended purpose of the AI system;
b. Detailed overview of the components and functions supported through AI;
c. Basic explanation of the logic underpinning the AI system.
Annex VIII – point 5a (new)5a. where applicable, the categories and nature of data likely or foreseen to be processed by the AI system.The AI system should, where applicable, process the categories and nature of data that are likely or foreseen.
Annex VIII – point 66. Status of the AI system (on the market, or in service; no longer placed on the market/in service, recalled);6. Status of the AI system (on the market, or in service; no longer placed on the market/in service, recalled);5. Status of the AI system (on the market, or in service; no longer placed on the market/in service, recalled);6. Status of the AI system (on the market, or in service; no longer placed on the market/in service, recalled);
Annex VIII – point 77. Type, number and expiry date of the certificate issued by the notified body and the name or identification number of that notified body, when applicable;7. Type, number and expiry date of the certificate issued by the notified body and the name or identification number of that notified body, when applicable;6. Type, number and expiry date of the certificate issued by the notified body and the name or identification number of that notified body, when applicable;Type, number and expiry date of the certificate issued by the notified body and the name or identification number of that notified body, when applicable;
Annex VIII – point 88. A scanned copy of the certificate referred to in point 7, when applicable;8. A scanned copy of the certificate referred to in point 7, when applicable;7. A scanned copy of the certificate referred to in point 6, when applicable;8. A scanned copy of the certificate referred to in the previous point, when applicable;
Annex VIII – point 99. Member States in which the AI system is or has been placed on the market, put into service or made available in the Union;9. Member States in which the AI system is or has been placed on the market, put into service or made available in the Union;8. Member States in which the AI system is or has been placed on the market, put into service or made available in the Union;Member States in which the AI system is or has been placed on the market, put into service or made available in the Union;
Annex VIII – point 1010. A copy of the EU declaration of conformity referred to in Article 48;10. A copy of the EU declaration of conformity referred to in Article 48;9. A copy of the EU declaration of conformity referred to in Article 48;10. A copy of the EU declaration of conformity referred to in Article 48;
Annex VIII – point 1111. Electronic instructions for use; this information shall not be provided for high-risk AI systems in the areas of law enforcement and migration, asylum and border control management referred to in Annex III, points 1, 6 and 7.deleted10. Electronic instructions for use;10. Electronic instructions for use;
Annex VIII – point 1212. URL for additional information (optional).12. URL for additional information (optional).11. URL for additional information (optional).12. URL for additional information (optional).
Annex VIII – Pat II – point 12 (new)12. Name, address and contact details of usersNone
ANNEX VIII – SECTION B (new)SECTION B – The following information shall be provided and thereafter kept up to date with regard to high-risk AI systems to be registered in accordance with Article 51 (1a) (a) and (1b).

1. the name, address and contact details of the deployer ;

2. the name, address and contact details of the person submitting information on behalf of the deployer ;

3. the high risk AI system trade name and any additional unambiguous reference allowing identification and traceability of the AI system used;

4. a) A simple and comprehensible description of the intended use of the AI system, including the specific outcomes sought through the use of the systemn, the geographic and temporal scope of application
b. Where applicable, the categories and nature of data to be processed by the AI system;
c. Arrangements for human oversight and governance
d. Where relevant, the bodies or natural persons responsible for decisions taken or supported by the AI system;

5. a summary of the findings of the fundamental rights impact assessment conducted in accordance with Article 29a

6. The URL of the entry of the AI system in the EU database by its provider

7. A summary of the data protection impact assessment carried out in accordance with Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680 as specified in paragraph 6 of Article 29 of this Regulation, where applicable.		The following information must be provided and regularly updated for high-risk AI systems to be registered in accordance with Article 51 (1a) (a) and (1b):

1. The name, address, and contact details of the deployer.
2. The name, address, and contact details of the person submitting information on behalf of the deployer.
3. The high-risk AI system trade name and any additional unambiguous reference allowing identification and traceability of the AI system used.
4. A simple and comprehensible description of the intended use of the AI system, including the specific outcomes sought through the use of the system, the geographic and temporal scope of application. Where applicable, the categories and nature of data to be processed by the AI system should be included. Arrangements for human oversight and governance should be detailed. Where relevant, the bodies or natural persons responsible for decisions taken or supported by the AI system should be identified.
5. A summary of the findings of the fundamental rights impact assessment conducted in accordance with Article 29a.
6. The URL of the entry of the AI system in the EU database by its provider.
7. A summary of the data protection impact assessment carried out in accordance with Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680 as specified in paragraph 6 of Article 29 of this Regulation, where applicable.
Annex VIII – Section C (new)Section C – The following information shall be provided and thereafter kept up to date with regard to foundation models to be registered in accordance with Article 28b (e).

1. Name, address and contact details of the provider;

2. Where submission of information is carried out by another person on behalf of the provider, the name, address and contact details of that person;

3. Name, address and contact details of the authorised representative, where applicable;

4. Trade name and any additional unambiguous reference allowing the identification of the foundation model

5. Description of the data sources used in the development of the foundational model

6. Description of the capabilities and limitations of the foundation model, including the reasonably foreseeable risks and the measures that have been taken to mitigate them as well as remaining non-mitigated risks with an explanation on the reason why they cannot be mitigated

7. Description of the training resources used by the foundation model including computing power required, training time, and other relevant information related to the size and power of the model 8. Description of the model’s performance, including on public benchmarks or state of the art industry benchmarks

8. Description of the results of relevant internal and external testing and optimisation of the model

9. Member States in which the foundation model is or has been placed on the market, put into service or made available in the Union;

10. URL for additional information (optional). 		The following information shall be provided and thereafter kept up to date with regard to foundation models to be registered in accordance with Article 28b (e):

1. Name, address and contact details of the provider;

2. If submission of information is carried out by another person on behalf of the provider, the name, address and contact details of that person;

3. Name, address and contact details of the authorised representative, if applicable;

4. Trade name and any additional unambiguous reference allowing the identification of the foundation model;

5. Description of the data sources used in the development of the foundational model;

6. Description of the capabilities and limitations of the foundation model, including the reasonably foreseeable risks and the measures that have been taken to mitigate them as well as remaining non-mitigated risks with an explanation on the reason why they cannot be mitigated;

7. Description of the training resources used by the foundation model including computing power required, training time, and other relevant information related to the size and power of the model;

8. Description of the model’s performance, including on public benchmarks or state of the art industry benchmarks;

9. Description of the results of relevant internal and external testing and optimisation of the model;

10. Member States in which the foundation model is or has been placed on the market, put into service or made available in the Union;

11. URL for additional information (optional).
ANNEX VIIIa (new) ANNEX VIIIa
INFORMATION TO BE SUBMITTED UPON THE REGISTRATION OF HIGH-RISK AI SYSTEMS LISTED IN ANNEX III IN RELATION TO TESTING IN REAL WORLD CONDITIONS IN ACCORDANCE WITH ARTICLE 54a

The following information shall be provided and thereafter kept up to date with regard to testing in real world conditions to be registered in accordance with Article 54a:

1. Union-wide unique single identification number of the testing in real world conditions;

2. Name and contact details of the provider or prospective provider and users involved in the testing in real world conditions;

3. A brief description of the AI system, its intended purpose and other information necessary for the identification of the system;

4. A summary of the main characteristics of the plan for testing in real world conditions; 5. Information on the suspension or termination of the testing in real world conditions.		ANNEX VIIIa
INFORMATION TO BE SUBMITTED UPON THE REGISTRATION OF HIGH-RISK AI SYSTEMS LISTED IN ANNEX III IN RELATION TO TESTING IN REAL WORLD CONDITIONS IN ACCORDANCE WITH ARTICLE 54a

The following information shall be provided and thereafter kept up to date with regard to testing in real world conditions to be registered in accordance with Article 54a:

1. Union-wide unique single identification number of the testing in real world conditions;

2. Name and contact details of the provider or prospective provider and users involved in the testing in real world conditions;

3. A brief description of the AI system, its intended purpose and other information necessary for the identification of the system;

4. A summary of the main characteristics of the plan for testing in real world conditions;

5. Information on the suspension or termination of the testing in real world conditions.
Annex IX
NumberingCommissionParliamentCouncilText proposed by the AI
ANNEX IXANNEX IX
Union legislation ON large-scale IT systems in the area of Freedom, Security and Justice		ANNEX IX
Union legislation ON large-scale IT systems in the area of Freedom, Security and Justice		ANNEX IX
UNION LEGISLATION ON LARGE-SCALE IT SYSTEMS IN THE AREA OF FREEDOM, SECURITY AND JUSTICE		ANNEX IX
Union legislation on large-scale IT systems in the area of Freedom, Security and Justice
Annex IX – point 11. Schengen Information System

(a) Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1).

(b) Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14)

(c) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).		1. Schengen Information System

(a) Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1).

(b) Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14)

(c) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).		1. Schengen Information System

(a) Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1).

(b) Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14)

(c) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).		1. Schengen Information System

(a) Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1).

(b) Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14)

(c) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).
Annex IX – point 22.Visa Information System

(a) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA – COM(2018) 302 final. To be updated once the Regulation is adopted (April/May 2021) by the co-legislators.		2. Visa Information System

(a) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA – COM(2018) 302 final. To be updated once the Regulation is adopted (April/May 2021) by the co-legislators.		2. Visa Information System

(a) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA – COM(2018) 302 final. To be updated once the Regulation is adopted (April/May 2021) by the co-legislators.		2. Visa Information System

(a) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA – COM(2018) 302 final. To be updated once the Regulation is adopted (April/May 2021) by the co-legislators.
Annex IX – point 33. Eurodac

(a) Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of ‘Eurodac’ for the comparison of biometric data for the effective application of Regulation (EU) XXX/XXX [Regulation on Asylum and Migration Management] and of Regulation (EU) XXX/XXX [Resettlement Regulation], for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes and amending Regulations (EU) 2018/1240 and (EU) 2019/818 – COM(2020) 614 final.		3. Eurodac

(a) Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of ‘Eurodac’ for the comparison of biometric data for the effective application of Regulation (EU) XXX/XXX [Regulation on Asylum and Migration Management] and of Regulation (EU) XXX/XXX [Resettlement Regulation], for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes and amending Regulations (EU) 2018/1240 and (EU) 2019/818 – COM(2020) 614 final.		3. Eurodac

(a) Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of ‘Eurodac’ for the comparison of biometric data for the effective application of Regulation (EU) XXX/XXX [Regulation on Asylum and Migration Management] and of Regulation (EU) XXX/XXX [Resettlement Regulation], for identifying an illegally staying third- country national or stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes and amending Regulations (EU) 2018/1240 and (EU) 2019/818 – COM(2020) 614 final.		3. Eurodac

(a) Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of ‘Eurodac’ for the comparison of biometric data for the effective application of Regulation (EU) XXX/XXX [Regulation on Asylum and Migration Management] and of Regulation (EU) XXX/XXX [Resettlement Regulation], for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes and amending Regulations (EU) 2018/1240 and (EU) 2019/818 – COM(2020) 614 final.
Annex IX – point 44. Entry/Exit System

(a) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).		4. Entry/Exit System

(a) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).		4. Entry/Exit System

(a) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).		4. Entry/Exit System

(a) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).
Annex IX – point 55. European Travel Information and Authorisation System

(a) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).

(b) Regulation (EU) 2018/1241 of the European Parliament and of the Council of 12 September 2018 amending Regulation (EU) 2016/794 for the purpose of establishing a European Travel Information and Authorisation System (ETIAS) (OJ L 236, 19.9.2018, p. 72).		5. European Travel Information and Authorisation System

(a) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).

(b) Regulation (EU) 2018/1241 of the European Parliament and of the Council of 12 September 2018 amending Regulation (EU) 2016/794 for the purpose of establishing a European Travel Information and Authorisation System (ETIAS) (OJ L 236, 19.9.2018, p. 72).		5. European Travel Information and Authorisation System

(a) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).

(b) Regulation (EU) 2018/1241 of the European Parliament and of the Council of 12 September 2018 amending Regulation (EU) 2016/794 for the purpose of establishing a European Travel Information and Authorisation System (ETIAS) (OJ L 236, 19.9.2018, p. 72).		5. European Travel Information and Authorisation System

(a) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).

(b) Regulation (EU) 2018/1241 of the European Parliament and of the Council of 12 September 2018 amending Regulation (EU) 2016/794 for the purpose of establishing a European Travel Information and Authorisation System (ETIAS) (OJ L 236, 19.9.2018, p. 72).
Annex IX – point 66. European Criminal Records Information System on third-country nationals and stateless persons

(a) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).		6. European Criminal Records Information System on third-country nationals and stateless persons

(a) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).		6. European Criminal Records Information System on third-country nationals and stateless persons

(a) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).		6. European Criminal Records Information System on third-country nationals and stateless persons

(a) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).
Annex IX – point 77. Interoperability

(a) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa (OJ L 135, 22.5.2019, p. 27).

(b) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration (OJ L 135, 22.5.2019, p. 85).		7. Interoperability

(a) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa (OJ L 135, 22.5.2019, p. 27).

(b) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration (OJ L 135, 22.5.2019, p. 85).		7. Interoperability

(a) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa (OJ L 135, 22.5.2019, p. 27).

(b) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration (OJ L 135, 22.5.2019, p. 85).		7. Interoperability

(a) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa (OJ L 135, 22.5.2019, p. 27).

(b) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration (OJ L 135, 22.5.2019, p. 85).