DEV Community: eurlexa

EU AI Act Coming into Effect in February 2025

eurlexa — Fri, 31 Jan 2025 08:20:37 +0000

On February 2, 2025, important provisions of the EU AI Act come into effect.

You can find the most recent text of the AI Act here: https://www.eurlexa.com/act/en/32024R1689/present/text

Anyone Who Deploys AI Can Be Fined

A crucial takeaway is that not only AI developers will be affected but also any private person or company deploying AI systems. The AI Act refers to these entities as "deployers." The deployed AI may often be third-party systems.

The AI Act defines a deployer broadly as follows:

"a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity"

For instance, a company using a third-party AI system for customer service, fraud prevention, internal procedures chatbot etc. would be classified as a deployer.

General Duties

Risk Classification: The Act categorizes AI systems into four risk levels: unacceptable, high, limited, and minimal risk. Unacceptable-risk AI systems are prohibited outright, while high-risk systems face stringent requirements.
Compliance Requirements: Providers and deployers of high-risk AI applications must conduct conformity assessments, ensure transparency, and maintain robust governance frameworks. They are also required to ensure that their staff possess adequate AI literacy.
Governance Structure: The Act mandates the establishment of a governance framework at both European and national levels, which includes the creation of an AI Office responsible for monitoring and supervising compliance.
Penalties for Noncompliance: Penalties for violations can be severe, ranging from €7.5 million or 1.5% of global annual turnover to €35 million or 7%, depending on the nature of the infringement.

Obligations for End User Businesses (Deployers)

Monitoring and Compliance: Deployers must monitor the operation of high-risk AI systems based on the provider's instructions for use. This includes ensuring that the systems operate safely and effectively within their intended context.
Reporting Risks: If deployers suspect that using an AI system according to the provider's instructions may lead to risks as defined by the Act, they are required to inform the provider and cease using the system until the issue is resolved.
Transparency Requirements: For AI systems that generate or manipulate content (e.g., deepfakes), deployers must clearly disclose that such content has been AI-generated or manipulated. This is part of broader transparency obligations aimed at ensuring users can interpret and understand AI outputs appropriately.
Record Keeping: Deployers need to maintain logs of the AI system's operation to ensure traceability and accountability, which can be crucial for compliance checks and audits.
Impact Assessments: Certain deployers, particularly public bodies and private operators providing public services, may be required to conduct fundamental rights impact assessments before deploying high-risk AI systems. This involves evaluating the potential impact of these systems in their specific contexts.

Timeline for Compliance

February 2, 2025: Initial compliance measures for certain provisions begin.
August 2, 2025: Additional obligations for users of general-purpose AI models and commencement of penalties.
August 2, 2026: Full application of most provisions related to high-risk AI systems.

This staggered implementation allows deployers time to adjust their practices in AI deployment.

You can see more detail timeline here: https://www.eurlexa.com/act/en/32024R1689/present/timeline

🚀 We Have Released Eurlexa - EU Regulation at Your Fingertips 🇪🇺🎉

eurlexa — Wed, 15 Jan 2025 07:54:08 +0000

After more than 2-year-long journey developing Eurlexa we are happy to announce that Eurlexa web app is on at https://www.eurlexa.com

You are more than welcome to visit.

Eurlexa brings EU legislation to your fingertips. Access and search EU regulations and directives with ease on Eurlexa. Eurlexa is a mobile-optimized, user-friendly alternative to EUR-Lex for quick legal references.

Eurlexa uses mainly these amazing modern, as well as some quite old, technologies:

SvelteKit
Supabase and PostgreSQL
GitHub Actions
PWA
Vercel
SOAP
SPARQL

The features include:

Mobile optimizations
Autosuggest search
Localization for all EU languages
Table of contents with hashtag links to relevant sections
The most recent version of regulations or directives, as well as all prior versions
A track changes view highlighting differences from previous versions
Timeline of all amendments and corrections and important dates
Highlighter
Details on all implementing regulations, judicial precedents, or proposed changes
Progressive Web App (PWA)
And much more

Feel free to explore all features Eurlexa

EU Drops the Hammer: MiCA Crypto Regulations Now in Full Force in 2025

eurlexa — Tue, 14 Jan 2025 18:03:59 +0000

(This is a repost under the new Eurlexa Team profile, where we aim to centralize all posts related to Eurlexa.)

Do you have or use crypto? Are you providing crypto services? If so, in 2025, you need to be very careful, especially if you or your clients or investors are from the European Union.

TL;DR

As of January 2025, all crypto-asset service providers will need to begin applying for licenses to operate under MiCA in EU.

MiCA Latest Version

On December 30, 2024, the EU Crypto Regulation known as MiCA came into full effect. The full text of the latest version of MiCA can be found here:

https://www.eurlexa.com/act/en/32023R1114/present/text

Recent Changes

Interestingly, this is already the second version of MiCA. The initial text can be found here.

The main changes are:

The EU Commission has been given the power to supplement MiCA by adopting regulatory technical standards in certain areas.
Issuers, offerors, or persons seeking admission to trading are required to submit inside information to the European Single Access Point (expected to operate from 2030).

You can view the specific updates in detail with track changes mode here.

Objectives of MiCA

MiCA is a comprehensive framework designed to regulate crypto assets across the EU.

Unified Regulatory Framework: MiCA establishes a single set of rules applicable to all 27 EU member states, replacing the fragmented regulatory landscape that previously existed. So far, so good — you won’t need to study crypto rules for each individual EU member state.
Consumer Protection: MiCA introduces consumer protection measures, including transparency requirements for issuers of crypto-assets, and obligations for crypto-asset service providers (CASPs) to clearly communicate the risks associated with crypto investments. Given the many unfortunate stories from crypto customers, these protective measures are a much-needed step.
Market Integrity: MiCA aims to strengthen confidence in crypto markets by prohibiting market manipulation and insider trading. This is a fair addition, similar to regulations in traditional capital markets.

Key Provisions

Now comes the tricky part for crypto in the EU.

Licensing Requirements: All CASPs must obtain authorization from national competent authorities to operate within the EU. This includes having at least one director based in the EU and maintaining a registered office there. Competent authorities are typically financial market regulators, not IT experts, making it difficult to predict how stringent the rulings will be. It’s also possible that we may see "licence shopping" — CASPs choosing the most favorable EU regulator. More details on application to provide crypto-asset services are here https://www.eurlexa.com/act/en/32023R1114/present/text#Article-62-Application-for-authorisation-as-a-crypto-asset-service-provider
Regulatory Oversight: The European Securities and Markets Authority (ESMA) will oversee significant CASPs — those with more than 15 million active users.
Issuers' Obligations: Issuers of asset-referenced tokens (ARTs) and electronic money tokens (EMTs) must prepare detailed whitepapers outlining their offerings, including risks and terms of investment. More details describing content and form of the crypto-asset white paper are here https://www.eurlexa.com/act/en/32023R1114/present/text#Article-6-Content-and-form-of-the-crypto-asset-white-paper
Anti-Money Laundering (AML): All CASPs are required to implement strong AML policies to ensure compliance with EU financial service standards. This was, of course, expected, especially in light of sanctions imposed on Russia.

Licensing and Transitional Period

As of January 1, 2025, all CASPs will need to begin applying for licenses to operate under MiCA in EU. Here are the key details regarding the transitional provisions and licensing process:

Transitional Period: Existing virtual asset service providers (VASPs) — the more commonly used term outside the EU for crypto providers — can continue to operate under their current national licenses until December 31, 2025. In some countries, this transitional period may be extended until July 1, 2026. This allows VASPs time to apply for a MiCA CASP license while still providing services legally.
License Application Submission: From January 1, 2025, companies must submit their applications for a MiCA CASP license. However, they could have begun preparing and submitting applications as early as April 22, 2024, for pre-examination by local authorities, although formal authorization cannot be granted until MiCA comes into effect on December 30, 2024.
Application Process: Submitting a license application is necessary but not sufficient on its own. The application must be complete and meet all regulatory requirements. The review process typically takes around 40 working days, but it can take longer if additional information is requested or if the application is complex.
Continued Operation During Application: While existing VASPs can operate under their current licenses during the transition period, they must ensure that they submit their CASP license applications before the end of this period to avoid interruptions in service.

In summary, existing providers have until the end of 2025 to transition to a MiCA CASP license while continuing their operations, provided they apply for the new license in a timely manner.

Implementing Regulations

Welcome to the EU bureaucracy! Below is a comprehensive list of all EU regulations that supplement or implement MiCA:

Conclusion

In summary, MiCA aims to create one transparent environment for crypto assets within the EU. As the regulation comes into full effect in 2025, it will significantly shape how crypto-asset service providers operate in Europe, hopefully fostering innovation while ensuring accountability within the market.

Disclosure: I am a member of eurlexa team. On Eurlexa you can access and search EU regulations and directives with ease. Eurlexa is a mobile-optimized, user-friendly alternative to EU offical and rather cumbersome EUR-Lex.

🇪🇺 8 EU Regulations Every Developer Must Know ⚖️💻

eurlexa — Tue, 14 Jan 2025 18:03:45 +0000

(This is a repost under the new Eurlexa Team profile, where we aim to centralize all posts related to Eurlexa.)

Recently, I was involved in coverage of specific rules and regulations that web pages or applications in the EU must adhere to. I thought it might be interesting for others as well to know the most important EU legal rules for IT and web developers.

Sometimes these Directives and Regulations sets only the basic framework and have many implementing technical regulations as you can learn bellow.

The most important EU regulations and directives that may affect development are:

Directive on Privacy and Electronic Communications
General Data Protection Regulation
Artificial Intelligence Act
Digital Services Act
Digital Markets Act
Cyber Resilience Act
Directive on Measures for a High Common Level of Cybersecurity
Regulation on Digital Operational Resilience

Directive on Privacy and Electronic Communications

Current consolidated version: Cookie Directive
Implementing regulations: link
Judicial precedents: link
Amendments and corrections: link
Full title: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
Also known as: Cookie Directive, ePrivacy Directive
Who should be concerned?
- Any service that uses cookies (other than strictly necessary cookies) or similar tracking technologies, and companies providing electronic communications services
Caveats:
- Cookies other than strictly necessary ones stored on a user’s device require the user's consent

General Data Protection Regulation

Current consolidated version: GDPR
Implementing regulations: link
Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Also known as: GDPR, Data Protection Regulation
Who should be concerned?
- Anyone who collects or processes personal data, regardless of their form, size, or sector
Caveats:
- Cases when you send personal data outside the EU (this may include the full user IP address to Google, Vercel, etc.)

Artificial Intelligence Act

Current consolidated version: AI Act
Implementing regulations: link
Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)
Also known as: AI Act, Artificial Intelligence Act
Who should be concerned?
- Developers or providers of AI systems, especially those classified as high-risk or unacceptable risk
- Companies across various sectors that utilize AI technologies for decision-making, customer interaction, or operational efficiency
Caveats:
- Severe penalties for non-compliance, including fines up to €35 million or 7% of global annual turnover

Digital Services Act

Current consolidated version: DSA
Implementing regulations: link
Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)
Also known as: DSA, DSA Regulation
Who should be concerned?
- Online platforms and very large online platforms (VLOPs)
Caveats:
- FAANG (Facebook, Amazon, Apple, Netflix, Google) or MAMAA (Meta, Apple, Microsoft, Amazon, Alphabet)

Digital Markets Act

Current consolidated version: DMA
Implementing regulations: link
Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)
Also known as: DMA, DMA Regulation
Who should be concerned?
- Gatekeeper platforms
Caveats:
- Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta (Facebook) and Microsoft

Cyber Resilience Act

Current consolidated version: CRA
Implementing regulations: link
Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)
Also known as: CRA, CRA Directive
Who should be concerned?
- manufacturers, importers and distributors of products with digital elements having data connection to a device or network
Caveats:
- Organizations involved in developing open-source software intended for commercial use must implement cybersecurity policies and procedures as well

Directive on Measures for a High Common Level of Cybersecurity

Current consolidated version: NIS 2
Implementing regulations: link
Judicial precedents: link
Amendments and corrections: link
Full title: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
Also known as: NIS 2, NIS 2 Directive
Who should be concerned?
- Companies in essential sectors such as energy, transport, healthcare, cloud computing services, internet service providers (ISPs), financial services, food production and distribution, chemicals production
Caveats:
- Organizations must report significant incidents not only to national authorities but also to affected service recipients without undue delay
- entities are required to assess the cybersecurity posture of their suppliers

Regulation on Digital Operational Resilience

Current consolidated version: DORA
Implementing regulations: link
Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
Also known as: DORA, DORA Regulation
Who should be concerned?
- Financial Institutions and their IT services providers
Caveats:
- Financial institutions must establish rigorous oversight mechanisms and ensure that their vendors comply with DORA
- Financial institutions have to report their key IT vendros to regulators

So, if you are asked to deliver IT services to a financial institution in the EU, and the project includes AI models for customers' payment terminals data, including an accompanying web app and phone app, as well as servers and database hosted outside of the EU, God bless you.