High-Risk AI Obligations
This specific topic is needed to comprehensively cover the distinct set of obligations imposed specifically on providers of high-risk AI systems under Articles 16-17 of the AI Act, which is the core subject of this content and goes beyond general provider obligations.
high-risk AI provider obligations provider requirements for high-risk AI Article 16 AI Act Article 17 AI Act pre-market obligations post-market obligations compliance obligations risk management obligations
Overview
Legal Framework
The core obligations for providers of high-risk AI systems are established by Articles 16 and 17 of the AI Act. These articles impose specific, additional duties that go beyond the general provider obligations in Chapter III. Article 16 mandates that providers ensure their high-risk AI systems are accompanied by clear and comprehensive instructions for use. These instructions must contain specified information, including the identity of the provider, the system's characteristics and performance, any human oversight measures required, and the changes the system will undergo through automatic software updates. Article 17 requires providers to establish a post-market monitoring system. This system must actively and systematically collect, document, and analyze data from the system's performance after it is placed on the market or put into service, allowing the provider to evaluate its continuous compliance.
Practical Application
As the AI Act is a directly applicable regulation, its provisions create uniform obligations across the EU, leaving limited scope for divergent national implementation in this field. The authoritative commentary notes that this direct effect is similar to the GDPR's structure. The obligations under Articles 16 and 17 are concrete and action-oriented for providers. Compliance with Article 16 requires creating technical documentation that is usable, not just a formal checklist, ensuring deployers can implement the system safely and as intended. For Article 17, the post-market monitoring system must be a proactive, integrated business process, not a reactive complaint-handling mechanism. It is designed to feed data back into risk management and facilitate immediate corrective action if systemic risks are identified. Recital 137 clarifies that meeting these transparency and instruction obligations does not, in itself, constitute a declaration that the system's use is lawful under other EU or national laws.
Key Considerations
- The instructions for use under Article 16 are a key compliance document and a primary tool for enabling safe deployment; they should be drafted for the end-user, not just for auditors.
- The Article 17 post-market monitoring system must be planned before market launch and requires defined procedures for data collection, analysis timelines, and escalation pathways for identified risks or serious incidents.
- Providers should note that these obligations are without prejudice to other sector-specific transparency or monitoring rules (e.g., in medical device or machinery regulations), which may apply cumulatively.
Laws (14)
Recital 137
Recital 174
Article 50
Transparantieverplichtingen voor aanbieders en gebruiksverantwoordelijken van bepaalde AI-systemen
Recital 26
Recital 132
Recital 135
Recital 174
Article 50
Transparency obligations for providers and deployers of certain AI systems
Recital 26
Recital 132
Recital 137
Recital 134
TRANSPARENCY OBLIGATIONS FOR PROVIDERS AND DEPLOYERS OF CERTAIN AI SYSTEMS
Guidance (19)
Richtsnoeren 05/2020 inzake toestemming overeenkomstig Verordening 2016/679
guidelines toestemming
GROEP GEGEVENSBESCHERMING ARTIKEL 29
guidelines transparantie
Versiegeschiedenis
guidelines uitvoeren overeenkomst
Version history
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
Versiegeschiedenis
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
De AVG bevat geen juridische definitie van het begrip 'doorgifte van persoonsgegevens aan een derde land of aan een internationale organisatie'. Daarom verstrekt de EDPB deze richtsnoeren om te verduidelijken op welke scenario's de voorschriften van hoofdstuk V volgens hem moeten worden toegepast en heeft hij daartoe drie cumulatieve criteria vastgesteld waaraan een verwerkingsactiviteit moet voldoen om als een doorgifte te worden aangemerkt: - 1) Een verwerkingsverantwoord...
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Richtsnoeren 8/2020 betreffende de targeting van gebruikers van sociale media
guidelines targeting gebruikers sociale media
Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)
guidelines territoriaal toepassingsgebied AVG
News (2)
VDAI (Lithuania) - Decision No. 3R-1700
Facts }}}} The DPA held that a gambling operator lawfully transferred data to a processor for sending invitations to sporting events, but found that the controller breached transparency obligations by not informing the data subject about the categories of data recipients.The DPA held that the operator of a gambling site lawfully transferred data to a processor for sending invitations to sporting events since the engagement of a processor does not require a separate legal basis. However, the cour
Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems?
> The growth of generative artificial intelligence systems has led EU lawmakers to focus on General Purpose AI in drafting the AI Act, which will set the framework governing artificial intelligence in the European Union. As previously reported, the EU Parliament has already broadened the definition of artificial intelligence for the purposes of the AI Act… The post Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems? appeared first on GamingTechLaw.