Tag: digital omnibus ai act

  • AI Act Regulation: Penalties for Research Bodies

    AI Act regulation penalises non-compliance on a three-tier scale: up to €35 million or 7% of global annual turnover for prohibited AI practices, up to €15 million or 3% for high-risk and general-purpose AI failures, and up to €7.5 million or 1% for supplying false information to regulators — whichever figure is higher in each case. For a university, spinout, or research consortium, the exposure is rarely the maximum headline number; it is the cost of misclassifying an admissions algorithm, an exam-proctoring tool, or a recruitment screen as “low risk” when the law says otherwise.

    The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is the harmonised EU law setting risk-based obligations and penalties for AI systems, and it applies to research institutions as deployers whenever an AI system’s output affects people in the EU.

    What actually counts as an AI Act violation for a research institution?

    Universities and consortia rarely build the AI systems they use — they deploy them. Under the Act, a deployer is any organisation using an AI system in a professional capacity, and deployers carry real obligations even when a vendor built the underlying model. A learning-management platform that scores exam integrity, an HR tool that ranks job applicants, or an admissions filter all fall within scope if they touch people inside the EU, regardless of where the institution is based.

    Non-compliance is not a single offence. It spans failing to conduct a fundamental rights impact assessment, deploying an unregistered high-risk system, ignoring human-oversight requirements, or running a system the Act classifies as prohibited. Each failure mode sits on a different penalty tier.

    How much can an AI Act fine cost, tier by tier?

    Article 99 of Regulation (EU) 2024/1689 sets three fine bands. The final figure is whichever is higher — the flat euro cap or the percentage of worldwide annual turnover — which matters enormously for a university with a large total budget but a tiny AI-specific footprint.

    Violation type Maximum fine Turnover percentage Typical trigger for a research institution
    Prohibited AI practices (Art. 5) €35,000,000 7% Emotion-recognition in exams; covert biometric categorisation of students or staff
    High-risk system / GPAI obligation breaches €15,000,000 3% Recruitment or admissions AI deployed without a rights impact assessment
    Supplying incorrect, incomplete or misleading information €7,500,000 1% Inaccurate disclosures to a market surveillance authority or notified body

    Regulators must apply fines proportionately, weighing the nature, gravity and duration of the breach against the size of the organisation. Article 99(6) directs authorities to consider the interests of small and medium-sized enterprises and start-ups — relevant for university spinouts on constrained budgets — but this softens the number, not the underlying obligation.

    • Fines apply per infringement, so a consortium running several non-compliant systems faces cumulative, not capped, exposure.
    • Turnover is calculated on the whole legal entity’s global turnover, not just the department’s AI-related revenue or grant income.
    • National market surveillance authorities, not the EU AI Office, issue most fines against deployers; the AI Office focuses on general-purpose AI providers.

    Which of your institution’s AI systems could be “prohibited” outright?

    Article 5 bans a specific list of practices regardless of sector, and several map directly onto tools already used in higher education and research settings. A prohibited AI practice cannot be risk-managed into compliance — it must be withdrawn.

    The clearest overlaps for a research institution are:

    • Emotion recognition in educational institutions or workplaces, except for narrow medical or safety purposes — implicating some exam-proctoring and staff-monitoring software.
    • Biometric categorisation systems inferring race, political opinion, trade union membership, religion, or sexual orientation from biometric data.
    • Untargeted scraping of facial images from the internet or CCTV to build a recognition database — relevant to campus security systems built on scraped datasets.
    • Social-scoring-style evaluation of individuals by behaviour or personal traits leading to detrimental treatment unrelated to the original context.

    From 2 December 2026, two further prohibited categories take effect under the Digital Omnibus agreement: AI systems that generate or manipulate non-consensual intimate imagery (“nudifier” applications) and systems used to produce child sexual abuse material. Institutions running student-safeguarding or content-moderation tooling should confirm vendor compliance well ahead of that date.

    Has the Digital Omnibus changed the deadlines that matter?

    Yes, but selectively. The Act’s obligations phase in from its 1 August 2024 entry into force: prohibited practices became enforceable on 2 February 2025 (six months later), and general-purpose AI model obligations followed on 2 August 2025 (twelve months later). Both dates already passed and remain in force.

    In November 2025, the Council and Parliament agreed a “Digital Omnibus” simplification package — analysed by law firms including DLA Piper, Gibson Dunn and White & Case — pushing back the two remaining high-risk deadlines. Stand-alone high-risk systems under Annex III (covering most education, employment and public-service AI) now face obligations from 2 December 2027 rather than August 2026, a sixteen-month reprieve. High-risk AI embedded in regulated products under Annex I moves to 2 August 2028.

    Two dates were not delayed: Article 50 transparency obligations — labelling AI-generated content and disclosing chatbot interactions — still apply from 2 August 2026, the same date the Commission gains full penalty-enforcement powers over general-purpose AI providers. Institutions assuming the whole Act slipped to 2027 risk missing this transparency deadline.

    What should a research institution do now?

    The Digital Omnibus buys time on high-risk classification work, not on everything. A defensible position by August 2026 requires:

    • Inventory every AI system touching students, staff, applicants, or research subjects, tagged against the Article 5 prohibited list and Annex III high-risk categories.
    • Confirm any generative AI or chatbot-facing tool meets the Article 50 transparency requirement before 2 August 2026, independent of the high-risk delay.
    • Assign a named owner — typically in research administration or data governance — to track phased deadlines rather than treat the Act as one compliance date.
    • Apply vendor due diligence to procured AI tools, since deployer obligations do not disappear because a third party built the system.

    Answer-first: common questions on AI Act penalties

    Is the AI Act a regulation?

    Yes. The Artificial Intelligence Act is Regulation (EU) 2024/1689, meaning it applies directly and uniformly across all EU member states without needing national transposing legislation. It entered into force on 1 August 2024, and its obligations phase in over a multi-year timeline extending to 2028.

    What is the EU AI Act in 2026?

    By mid-2026, the prohibited-practice and general-purpose AI rules are already fully enforceable, while most high-risk system obligations have been pushed to December 2027 and August 2028 under the November 2025 Digital Omnibus agreement. Article 50 transparency duties and full GPAI enforcement powers still take effect on 2 August 2026 as originally scheduled.

    Does the UK have to comply with the EU AI Act?

    The UK has no domestic equivalent to the AI Act, but the regulation’s extraterritorial scope reaches UK institutions whenever their AI system’s output is used by, or affects, people in the EU. A UK university running an EU-facing admissions or research-collaboration platform can fall within scope despite being outside the bloc.

    Does the UK have any AI regulation of its own?

    Not a single statute. The UK relies on a sector-by-sector, principles-based approach enforced by existing regulators (ICO, EHRC, Ofcom) rather than one AI Act. This is why UK institutions with EU-facing systems must track both the domestic guidance and the EU regulation’s extraterritorial reach separately.

    What this means for institutional risk management

    The headline €35 million figure will rarely apply to a university outright, but the reputational cost of a prohibited-practice finding is not confined to the fine itself. A finding against emotion-recognition exam software invites scrutiny of every other AI-enabled assessment tool on campus, and funders increasingly expect institutions to demonstrate AI governance maturity, mirroring assurance expectations already familiar from research administration compliance frameworks.

    Treating AI Act regulation as a procurement and governance discipline — inventory, classification, named ownership, phased deadline tracking — converts an open-ended legal risk into a manageable operational programme.

    Where this is heading

    The Digital Omnibus shows the EU will adjust timelines under pressure, but it has not softened the penalty structure, and it has added prohibited categories rather than removed any. Research institutions should expect further phased deadlines and continued extraterritorial reach, and should treat every delay as a planning window, not a reason to deprioritise compliance work.

  • UK AI Regulatory Framework: EU Sandboxes to 2027

    The UK AI regulatory framework relies on existing sector regulators and five cross-sectoral principles rather than a single AI law, while a related EU milestone has just slipped: Article 57 of the EU AI Act required every member state to launch a national AI regulatory sandbox by 2 August 2026, and the EU’s Digital Omnibus simplification package has now pushed that deadline to 2 August 2027. For research institutions piloting AI in admissions, exam proctoring, or research-assistant tools, the delay changes when a supervised testing route becomes available — and it puts a spotlight on what the UK offers instead.

    An AI regulatory sandbox is a supervised legal and technical environment, established by a national competent authority, in which providers can develop, test, and validate innovative AI systems under direct regulatory oversight before those systems are placed on the market.

    What is an AI regulatory sandbox under Article 57?

    Article 57 of Regulation (EU) 2024/1689 — the EU AI Act — requires each member state to ensure its competent authorities establish at least one national AI regulatory sandbox. Inside the sandbox, providers develop, train, validate, and test AI systems under a supervised programme agreed with the regulator, with derogations available for limited real-world testing before a product goes to market.

    The mechanism exists because conformity assessment for high-risk AI systems is otherwise a one-shot, post-hoc exercise. A sandbox lets a university, a health authority, or a fintech firm iterate on a system’s design with a regulator in the room, reducing the risk of building a product that fails assessment after deployment. The AI Act entered into force on 1 August 2024 and becomes fully applicable on 2 August 2026, with obligations phased in across that period.

    Why did the 2026 sandbox deadline slip?

    The original Article 57 deadline required sandboxes to be operational by 2 August 2026 — the same date the AI Act’s general obligations take full effect. By early 2026, the European Parliament’s own think tank was reporting that the European Commission had not yet adopted the implementing act setting out common rules for how sandboxes should operate, leaving member states without the technical detail needed to stand theirs up on schedule.

    Several factors compounded the delay:

    • No implementing act: member states lacked Commission guidance on common sandbox rules until late in the schedule.
    • Resourcing: newly designated national AI authorities lacked the staff and budget sandboxes require.
    • Sequencing: sandboxes matter most for high-risk systems, and those detailed obligations do not apply until August 2027 anyway.

    What does the Digital Omnibus actually change?

    The Digital Omnibus is the European Commission’s 2026 simplification package for digital-rules legislation, including targeted amendments to AI Act deadlines. Under the package, the deadline for national AI regulatory sandboxes moves from 2 August 2026 to 2 August 2027 — aligning it with the date the Act’s detailed high-risk system obligations become enforceable, rather than with the earlier general-applicability date.

    The table below sets out how the EU timeline compares with the sandbox-equivalent mechanisms already running in the UK, which is not an EU member state and is not directly bound by Article 57.

    Mechanism Jurisdiction Legal basis Status / deadline
    National AI regulatory sandbox Each EU member state AI Act Article 57 (Regulation (EU) 2024/1689) Delayed from 2 Aug 2026 to 2 Aug 2027 under the Digital Omnibus
    FCA Regulatory Sandbox UK, financial services FCA innovation framework Running in cohorts since 2016
    ICO Regulatory Sandbox UK, data protection ICO service, independent of the AI Act Ongoing, rolling applications
    AI Growth Labs UK, cross-sector Follows the AI Opportunities Action Plan Pilot phase, sector-by-sector rollout

    Does the UK AI regulatory framework offer an equivalent?

    The UK AI regulatory framework is a pro-innovation, context-specific model set out in the 2023 white paper “AI regulation: a pro-innovation approach”. Instead of a horizontal AI statute, existing regulators — the Information Commissioner’s Office (ICO), the Competition and Markets Authority (CMA), and the Financial Conduct Authority (FCA) among them — apply five cross-sectoral principles: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress.

    The UK has no Article 57 equivalent written into statute, but it is not starting from zero. The FCA has run a financial-services regulatory sandbox since 2016, the ICO already operates its own sandbox for organisations testing innovative, personal-data-driven products, and the government’s newer AI Growth Labs initiative is designed to pilot AI applications that existing rules would otherwise slow down. The gap is horizontal, cross-sector coverage of the kind Article 57 mandates for AI specifically — which matters because the AI Act’s extraterritorial scope catches any provider or deployer placing an AI system on the EU market or serving EU-based users, including UK universities with EU campuses, Erasmus partnerships, or platforms used by EU-resident students and researchers.

    What should research institutions piloting AI do now?

    Three categories of university AI pilot sit closest to this regulatory activity, and two of them are explicitly named as high-risk under Annex III of the AI Act: systems used to evaluate learning outcomes or assign students to institutions (admissions algorithms), and systems used to monitor or detect prohibited behaviour during tests (exam proctoring). Research-assistant models are not automatically high-risk but can trigger obligations depending on how their outputs are used in decision-making.

    Practical steps institutions can take while sandbox access is delayed:

    • Map pilots against Annex III now, since admissions and proctoring tools carry the highest compliance burden once high-risk obligations bite.
    • Use available UK sandboxes — the ICO’s service in particular — for pilots with a significant personal-data component, since that route does not depend on the EU timeline.
    • Track sandbox announcements in EU jurisdictions where the institution has a legal presence, so an application can be lodged as soon as one opens.
    • Document testing activity conducted before 2027; sandbox participation typically requires evidence of a structured development process, not a blank pilot history.

    Answer-first questions on sandboxes and the delay

    What is the deadline for AI regulatory sandboxes now?

    Under the Digital Omnibus, EU member states must have at least one operational national AI regulatory sandbox by 2 August 2027, one year later than the original Article 57 deadline of 2 August 2026. The new date aligns with when the AI Act’s detailed high-risk obligations take full effect.

    Which EU countries missed the original 2026 sandbox deadline?

    By the original deadline, most member states had not launched an operational sandbox, largely because the European Commission’s implementing act setting common sandbox rules had not been adopted in time. Newly designated national AI authorities also lacked the staffing to meet the schedule unassisted.

    Does the UK have to comply with the EU AI Act?

    The UK is not an EU member state, so Article 57 does not bind it directly. However, the AI Act’s extraterritorial scope applies to any provider or deployer placing an AI system on the EU market or serving EU-based users — a live issue for UK universities with EU partnerships or EU-resident users.

    Are university admissions and proctoring tools classified as high-risk AI?

    Annex III of the EU AI Act explicitly lists AI systems used for admission or assignment to educational institutions, and for monitoring or detecting prohibited student behaviour during tests, as high-risk applications. Both categories face the Act’s strictest conformity, documentation, and human-oversight requirements.

    Outlook: what comes next

    The sandbox delay buys implementers time, but it does not change the substance of what Article 57 sandboxes are for or which university AI pilots will eventually need them. Institutions that map their admissions, proctoring, and research-assistant pilots against Annex III now — and use existing UK routes such as the ICO sandbox in the interim — will be positioned to apply the moment national EU sandboxes open in 2027, rather than starting that process from scratch.

    Research administrators coordinating these pilots across institutional and cross-border governance structures may find it useful to review how research administration functions are adapting their compliance workflows to AI-specific regulatory requirements more broadly.

  • Digital Omnibus AI Act: New 2027 Deadlines

    The Digital Omnibus AI Act agreement, reached by EU co-legislators on 7 May 2026, postpones the AI Act’s high-risk obligations to 2 December 2027 for standalone systems and 2 August 2028 for product-embedded systems, pushes the national AI regulatory sandbox deadline from 2 August 2026 to 2 August 2027, and shortens the AI-generated-content labelling grace period to a new deadline of 2 December 2026. Prohibited-practice and general-purpose-AI (GPAI) obligations already in force are unaffected.

    The Digital Omnibus on AI is the EU’s amending regulation to Regulation (EU) 2024/1689 (the AI Act) that recalibrates several implementation deadlines and simplifies selected compliance requirements without altering the Act’s underlying risk-based framework.

    What Has Changed Under the Digital Omnibus?

    The European Commission published its Digital Omnibus on AI proposal on 19 November 2025, and the Council presidency and European Parliament negotiators reached a provisional political agreement on 7 May 2026. The European Parliament granted final approval on 16 June 2026. As of early July 2026, formal Council adoption and publication in the Official Journal are still pending, with completion expected by 2 August 2026 — the very date the original high-risk deadline would otherwise have taken effect.

    Until the amending regulation is published, the AI Act’s original text remains binding law. This is a narrow but real compliance-planning window: institutions cannot yet treat the new dates as legally settled, only as highly likely.

    The package also adds a new prohibition on AI systems that generate child sexual abuse material (CSAM) or non-consensual sexually explicit content (“nudifier” apps), reinstates the EU database registration requirement for AI systems exempted from high-risk classification, and reverts a proposed relaxation on processing special category data for bias detection back to a strict-necessity test.

    What Are the New AI Act Compliance Deadlines?

    The revised timeline replaces the Commission’s original “standards-linked” mechanism with fixed calendar dates, giving institutions a firm planning horizon rather than a moving target tied to standardisation progress.

    Obligation Original deadline New deadline Change
    Standalone high-risk systems (Annex III: education access, employment/HR, credit scoring, critical infrastructure, law enforcement) 2 August 2026 2 December 2027 16-month delay
    High-risk systems embedded in regulated products (Annex I: medical devices, machinery, toys) 2 August 2027 2 August 2028 12-month delay
    AI-generated content labelling/watermarking (Article 50(2)) 2 August 2026 2 December 2026 Grace period cut to 4 months
    National AI regulatory sandbox establishment (Article 57) 2 August 2026 2 August 2027 12-month delay
    Ban on CSAM/non-consensual intimate AI content Not previously prohibited 2 December 2026 New obligation
    Prohibited AI practices (Article 5) 2 February 2025 Unchanged Already in force
    GPAI model obligations (Articles 53–55) 2 August 2025 Unchanged Already in force

    Per the Council’s 7 May 2026 press release, “the provisional agreement also introduces a fixed timeline for the delayed application of high-risk rules: the new application dates would be 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products.” The same text confirms the sandbox deadline is postponed “until 2 August 2027.”

    Which AI Act Obligations Still Apply in 2026?

    Despite the headline delays, several obligations remain live this year. Institutions should not read “Digital Omnibus” as “AI Act paused.” The Act’s prohibited-practice regime and its general-purpose-AI rules were untouched by the negotiations.

    • Prohibited AI practices under Article 5 (e.g. social scoring, certain biometric categorisation, manipulative systems) have applied since 2 February 2025 and remain fully enforceable.
    • GPAI model provider obligations (transparency documentation, copyright-policy summaries, systemic-risk assessment for the most capable models) have applied since 2 August 2025.
    • Most Article 50 transparency duties — informing individuals they are interacting with an AI system, or that content is AI-generated — still take effect from 2 August 2026; only the specific machine-readable watermarking sub-obligation is delayed to 2 December 2026.
    • The narrowed research exemption in Article 2(6)/(8) is unchanged: it still covers only AI systems developed for the “sole purpose” of scientific research and development, and does not extend to real-world testing outside that narrow scope — a gap industry and legal commentators flagged but the Omnibus did not close.

    What Should Research Institutions Do Now?

    The Annex III high-risk categories map directly onto functions many universities, funders, and research offices already run or procure: “access to education and vocational training,” and “employment-related uses” covering recruitment, performance monitoring, and promotion decisions. Any admissions-scoring tool, proctoring system, or HR-screening AI a research institution uses now has until 2 December 2027 rather than August 2026 to meet high-risk documentation, human-oversight, and conformity-assessment requirements.

    That extra runway does not extend to everything an institution touches:

    • GPAI-based research tools (foundation models used in text/data mining, literature synthesis, or research-assistant products) are already subject to provider transparency obligations since August 2025 — this was not delayed and should already be reflected in procurement due diligence.
    • AI regulatory sandboxes, a route some national research funders and public research bodies planned to use for supervised testing of experimental AI tools, will not be mandatory at national level until 2 August 2027 — a year later than institutions may have budgeted for.
    • The research exemption remains narrow. Institutions running real-world pilots of AI tools (learning-analytics trials, clinical-AI validation studies) outside a controlled research-only environment should not assume blanket exemption; the classification tests apply as originally drafted.
    • AI-content labelling (Article 50(2), now due 2 December 2026) is directly relevant to scholarly publishing workflows: journals, repositories, and preprint servers using generative tools in editorial or production processes should track this date alongside their existing disclosure policies for AI-assisted content.

    Research administration offices coordinating compliance calendars should treat 2 December 2027 and 2 August 2028 as the two hard deadlines for high-risk systems, while keeping the unaffected 2025-dated GPAI and prohibited-practice obligations on their existing tracker — the Digital Omnibus changes the pace of the high-risk regime, not its scope.

    Answer-First Q&A

    What is the timeframe for the AI Act?

    The AI Act entered into force on 1 August 2024. Prohibited practices applied from 2 February 2025 and GPAI obligations from 2 August 2025. Following the Digital Omnibus, standalone high-risk systems now apply from 2 December 2027 and product-embedded high-risk systems from 2 August 2028.

    When do the AI Act’s high-risk obligations now apply?

    Under the provisional agreement, standalone Annex III high-risk systems (education, employment, credit, critical infrastructure) must comply by 2 December 2027. Annex I product-embedded systems (medical devices, machinery) have until 2 August 2028 — 16 and 12 months later than the AI Act’s original dates, respectively.

    Does the Digital Omnibus delay the AI Act sandbox deadline?

    Yes. The national AI regulatory sandbox deadline under Article 57 moves from 2 August 2026 to 2 August 2027, giving competent authorities an extra year to build supervised testing environments for innovators and public bodies.

    What AI Act obligations still apply in 2026?

    Prohibited practices and GPAI model obligations remain fully in force, having applied since 2025. Most Article 50 transparency duties still take effect on 2 August 2026, and the new CSAM/nudifier ban and AI-content watermarking sub-obligation both land on 2 December 2026.

    What Happens Next?

    The amending regulation still requires formal Council adoption and publication in the Official Journal before the new dates become legally binding, a process both the Council and independent legal analysis expect to conclude by 2 August 2026. Research institutions should build compliance calendars around the dates above now, while monitoring the Official Journal publication to confirm the fixed timeline takes definitive legal effect, and continue tracking CEN-CENELEC’s harmonised AI standards, whose slower-than-expected delivery was the stated driver for the entire postponement.