Navigate the EU AI Act with confidence
Determine if your system qualifies as AI and understand your compliance requirements under the new European AI Act and French regulations.
The world's first comprehensive AI law (Regulation EU 2024/1689), effective from August 1, 2024. It establishes harmonized rules for AI systems across the EU using a risk-based approach. The regulation applies to providers placing AI systems on the EU market and users of AI systems located within the EU.
The General Data Protection Regulation (2016/679) continues to apply to AI systems that process personal data. AI systems must comply with both GDPR requirements (lawful basis, data minimization, transparency) and AI Act obligations when processing personal data.
GDPR Guide by CNILFrance must designate national competent authorities by August 2, 2025. The CNIL (data protection authority) provides specific guidance on AI and personal data. French courts will enforce penalties ranging from €7.5M to €35M or up to 7% of worldwide annual turnover.
CNIL AI GuideUnderstanding the Legal Definition
According to Article 3(1) of the AI Act, an 'AI system' is a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments.
The system operates on machines (computers, servers, embedded systems). This excludes purely biological intelligence but includes software running on hardware.
The system can operate with different degrees of independence from human control, from minimal automation to fully autonomous operation.
The system may change its behavior after deployment based on experience, though not all AI systems need to be adaptive to qualify.
The system draws conclusions or makes deductions from input data to generate outputs, distinguishing it from traditional deterministic software.
Must generate predictions, content, recommendations, or decisions that can influence physical or virtual environments.
Some systems may be difficult to classify and require detailed technical assessment:
Social scoring, emotion detection at work, and biometric categorization banned
General-purpose AI model obligations become effective
All high-risk system requirements fully applicable
Social scoring, emotion detection at work, and biometric categorization banned
General-purpose AI model obligations become effective
All high-risk system requirements fully applicable
Systems banned under Article 5 that manipulate human behavior, exploit vulnerabilities, or violate fundamental rights. Includes subliminal techniques, social scoring by governments, real-time biometric identification in public spaces (with exceptions), emotion recognition in workplaces/schools, and biometric categorization systems.
Social credit systems, workplace emotion detection, subliminal advertising AI, real-time facial recognition in public
Up to €35M or 7% of global turnover
Systems listed in Annex III or embedded in regulated products. Requires conformity assessment, CE marking, registration, human oversight, accuracy testing, robustness measures, and documentation. Covers critical infrastructure, education, employment, essential services, law enforcement, migration, and democratic processes.
CV screening systems, credit scoring, medical diagnostic AI, autonomous vehicles, critical infrastructure management
Up to €15M or 3% of global turnover
AI systems that interact directly with humans must inform users they are interacting with AI (Article 50). Includes chatbots, deepfakes, emotion recognition systems, and biometric categorization systems not otherwise prohibited or high-risk.
Customer service chatbots, content generation tools, image/video manipulation software, voice assistants
Up to €7.5M or 1.5% of global turnover
All other AI systems not falling under prohibited, high-risk, or limited risk categories. No specific AI Act obligations but must comply with general EU laws (GDPR, consumer protection, product liability). Companies may voluntarily adopt codes of conduct.
Spam filters, video game AI, inventory management systems, basic recommendation engines
Standard GDPR penalties may apply
Complete text of Regulation (EU) 2024/1689 published in the Official Journal. Available in all EU languages with detailed provisions, annexes, and definitions.
Official implementation guidelines, FAQ, and policy documents from the European Commission's Digital Strategy directorate.
French data protection authority guidance on AI systems and GDPR compliance, including specific recommendations for AI deployment.
France's national strategy for artificial intelligence development, including public sector AI adoption and regulatory framework.