AI Agents Fall Under Existing AI System and GPAI Rules

AI agents, typically built on general-purpose AI (GPAI) models with interfaces for environmental input/output (e.g., function calls), qualify as AI systems per Article 3(1). No separate category exists; prohibitions on harmful manipulation (Article 5(1)(a-b)) apply immediately, requiring design safeguards against significant harm. From August 2, 2026, high-risk agents face Chapter III requirements for safety/trustworthiness. Transparency rules (Article 50) mandate disclosure for person-interacting or content-generating agents; a Code of Practice is in development.

GPAI models in agents may trigger systemic risk designation if autonomous/tool-using (Article 51(1)(b), Annex XIII(e)). Providers must manage risks like agentic capabilities (e.g., GPAI Code of Practice appendices on autonomy, tool integration). Quote: "The definitions of an AI system in Article 3(1) AI Act and of a GPAI model in Article 3(63) AI Act are sufficient to cover AI agents."

Commission monitors fast-evolving agents; recent €9M tender targets agent safety evaluation.

Digital Omnibus Amendments Simplify Compliance and Governance

Proposed changes address 2025 stakeholder feedback on implementation hurdles, aligning with AI Continent Action Plan. Key shifts:

  • Timeline flexibility: High-risk rules (Annex III: employment/law enforcement) delayed max 16 months; Annex I (e.g., medical devices) max 12 months—tied to standards availability, with transition periods.
  • SME extensions to SMCs: Simplified technical docs, etc., for 8,250 more firms; cuts registration for non-high-risk tasks in high-risk areas.
  • Literacy/support focus: Commission/Member States build repositories (e.g., AI Office's practices) over operator mandates; high-risk deployers retain training duties.
  • Flexibility gains: Drop harmonized post-market plans; allow special data processing for bias detection.
  • Governance streamlining: AI Office centralizes GPAI/systems oversight; handles large platforms/search engines.
  • Innovation boosts: Broader sandboxes/real-world testing; EU-level sandbox by 2028; 6-month transition for generative AI detectability.

Benefits: Reduced costs, easier rollout for 8,250+ companies, single trustworthy AI market. Quote: "The Commission is committed to a clear, simple and innovation friendly implementation of the AI Act."

Risk-Based Framework and Obligations by Category

AI Act regulates only Article 3(1)-defined systems via four tiers:

  1. Unacceptable risk (prohibited): E.g., emotion detection at work (non-medical), social scoring (Article 5). Applies immediately to all systems.
  2. High-risk: Annex I (regulated products, e.g., vehicles) or Annex III (8 areas: biometrics, critical infra, education, employment, etc.). Requirements: risk management, data governance, logging, human oversight, EU database registration, user instructions. Phased: Annex III from 2026; Annex I 2027.
  3. Transparency: Chatbots/deepfakes label AI interaction/content (Article 50); deployers disclose generated content.
  4. Minimal/no risk (~85% systems): No obligations; voluntary codes encouraged.

Quote: "The AI Act follows a risk-based approach and introduces rules for AI systems based on the level of risk they can pose."

High-risk providers ensure pre-market compliance; substantial mods trigger reassessment. Evolving systems need risk frameworks; public authority use mandates compliance by 2030.

Scope, Definitions, and Legacy Applicability

AI system vs. model: Systems operate autonomously, infer outputs influencing environments (Article 3(1), Recital 12)—includes ML and logic/knowledge-based (e.g., rule inference, expert systems). GPAI models (Article 3(63), e.g., large generative) are components needing interfaces to become systems (Recital 97).

Legacy systems: Prohibitions immediate; high-risk pre-2026 only if substantially modified or public authority use (by 2030); GPAI pre-2025 comply by 2027; Annex X large IT by 2030.

Timeline:

  • Feb 2, 2025: Prohibitions, literacy.
  • Aug 2, 2025: Governance, GPAI.
  • Aug 2, 2026: High-risk Annex III, transparency, enforcement start.
  • Aug 2, 2027: Annex I high-risk. Full by 2027; flexible amendments possible (e.g., Annex III yearly review).

Objectives: Foster innovation/safety/rights; avoid market fragmentation. Quote: "The EU AI Act is the world's first comprehensive AI law. It aims to promote innovation and uptake of AI, while ensuring a high level of protection of health, safety and fundamental rights."

Key Takeaways

  • Classify your AI (agent/system/GPAI) using Articles 3(1)/3(63); build safeguards against Article 5 prohibitions now.
  • For high-risk, implement risk management, data governance, oversight before 2026/2027 deadlines—monitor standards for delays.
  • Label transparency-risk outputs (chatbots, deepfakes) per Article 50; watch upcoming Code of Practice.
  • Leverage amendments: SMCs gain SME perks; use sandboxes for testing; central AI Office oversight simplifies GPAI.
  • Legacy high-risk? Assess mods/public use; comply phased (2030 max).
  • Logic/knowledge-based count as AI techniques (Recital 12)—don't assume exemption.
  • Stay updated via AI Act Service Desk, guidelines; voluntary codes for low-risk build trust.
  • Providers: Register high-risk in EU DB, provide deployer instructions.
  • Deployers: Train on high-risk; disclose AI-generated content.